From 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Thu, 16 May 2019 14:35:46 +0200
Subject: reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime

Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/vnet/ip/ip6_error.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/vnet/ip/ip6_error.h')

diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 6a20de4f18e..3ca2be61a55 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h
@@ -81,6 +81,8 @@
   _ (REASS_DUPLICATE_FRAGMENT, "duplicate fragments")                   \
   _ (REASS_OVERLAPPING_FRAGMENT, "overlapping fragments")               \
   _ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \
+  _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)")   \
+  _ (REASS_NO_BUF, "out of buffers (drop)")                             \
   _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout")      \
   _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")
 
-- 
cgit 1.2.3-korg