patch-2.0.24 linux/net/ipv4/ip_fragment.c

• Lines: 78
• Date: Wed Oct 30 03:42:42 1996
• Orig file: v2.0.23/linux/net/ipv4/ip_fragment.c
• Orig date: Sat Aug 10 10:03:16 1996

diff -u --recursive --new-file v2.0.23/linux/net/ipv4/ip_fragment.c linux/net/ipv4/ip_fragment.c
@@ -24,6 +24,7 @@
 #include <net/icmp.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
+#include <linux/inet.h>
 #include <linux/firewall.h>
 #include <linux/ip_fw.h>
 #include <net/checksum.h>
@@ -47,6 +48,8 @@
 
 atomic_t ip_frag_mem = 0;			/* Memory used for fragments */
 
+char *in_ntoa(unsigned long in);
+
 /*
  *	Memory Tracking Functions
  */
@@ -337,7 +340,15 @@
 	 *	Allocate a new buffer for the datagram.
 	 */
 	len = qp->ihlen + qp->len;
-
+	
+	if(len>65535)
+	{
+		printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
+		ip_statistics.IpReasmFails++;
+		ip_free(qp);
+		return NULL;
+	}
+	
 	if ((skb = dev_alloc_skb(len)) == NULL)
 	{
 		ip_statistics.IpReasmFails++;
@@ -366,7 +377,7 @@
 		{
 			NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
 			ip_free(qp);
-			frag_kfree_skb(skb,FREE_WRITE);
+			kfree_skb(skb,FREE_WRITE);
 			ip_statistics.IpReasmFails++;
 			return NULL;
 		}
@@ -424,7 +435,7 @@
 	if (((flags & IP_MF) == 0) && (offset == 0))
 	{
 		if (qp != NULL)
-			ip_free(qp);	/* Huh? How could this exist?? */
+			ip_free(qp);	/* Fragmented frame replaced by full unfragmented copy */
 		return(skb);
 	}
 
@@ -461,11 +472,24 @@
 		if ((qp = ip_create(skb, iph, dev)) == NULL)
 		{
 			skb->sk = NULL;
-			frag_kfree_skb(skb, FREE_READ);
+			kfree_skb(skb, FREE_READ);
 			ip_statistics.IpReasmFails++;
 			return NULL;
 		}
 	}
+	
+	/*
+	 *	Attempt to construct an oversize packet.
+	 */
+	 
+	if(ntohs(iph->tot_len)+(int)offset>65535)
+	{
+		skb->sk = NULL;
+		printk("Oversized packet received from %s\n",in_ntoa(iph->saddr));
+		frag_kfree_skb(skb, FREE_READ);
+		ip_statistics.IpReasmFails++;
+		return NULL;
+	}	
 
 	/*
 	 *	Determine the position of this fragment.