mirror of
https://github.com/mmueller41/genode.git
synced 2026-01-21 12:32:56 +01:00
nic_router: drop fragmented IPv4
The NIC router used to ignore the IPv4 header fields "More fragments" and "Fragment offset" completely. Therefore higher-level protocols of fragmented IPv4 were interpreted wrong because each fragment was considered a self- standing packet, expecting, for instance UDP/TCP headers somewhere inside of the UDP/TCP data field. Normally, such packets were dropped as soon as the UDP/TCP checksum check failed because of the misinterpretation. However, it was also possible for fragmented IPv4 to pass the router although normally only partially. IPv4 fragmentation support in the router would introduce some potential security risks and is presumably not an easy endeavor. So, for now, we settled on not supporting IPv4 fragmentation. With this commit, the router simply drops all fragmented IPv4. This is reflected to the log for each fragment as "drop packet (fragmented IPv4 not supported)" when 'verbose_packet_drop="yes"' is configured. The new test 'run/nic_router_ipv4_fragm' is an automated test for this behavior. The test is added to the autopilot list. Ref #4236
This commit is contained in:
Martin Stein
committed by
Christian Helmuth
Christian Helmuth
parent
b0e558f486
commit
619474bc90
@@ -42,6 +42,7 @@ nic_bridge
|
||||
nic_bridge_stress
|
||||
nic_dump
|
||||
nic_router
|
||||
nic_router_ipv4_fragm
|
||||
nic_router_disable_arp
|
||||
nic_router_dhcp_managed
|
||||
nic_router_dhcp_unmanaged
|
||||
|
||||
Reference in New Issue
Block a user