From 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Thu, 16 May 2019 14:35:46 +0200
Subject: reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime

Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/vnet/ip/ip4_reassembly.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/vnet/ip/ip4_reassembly.h')

diff --git a/src/vnet/ip/ip4_reassembly.h b/src/vnet/ip/ip4_reassembly.h
index 521ca0f1998..4ceb0ab2409 100644
--- a/src/vnet/ip/ip4_reassembly.h
+++ b/src/vnet/ip/ip4_reassembly.h
@@ -30,12 +30,14 @@
  * @brief set ip4 reassembly configuration
  */
 vnet_api_error_t ip4_reass_set (u32 timeout_ms, u32 max_reassemblies,
+				u32 max_reassembly_length,
 				u32 expire_walk_interval_ms);
 
 /**
  * @brief get ip4 reassembly configuration
  */
 vnet_api_error_t ip4_reass_get (u32 * timeout_ms, u32 * max_reassemblies,
+				u32 * max_reassembly_length,
 				u32 * expire_walk_interval_ms);
 
 vnet_api_error_t ip4_reass_enable_disable (u32 sw_if_index,
-- 
cgit 1.2.3-korg