svn commit: r349366 - head/sys/netpfil/ipfw

Tue Jun 25 11:40:39 UTC 2019

Author: ae
Date: Tue Jun 25 11:40:37 2019
New Revision: 349366
URL: https://svnweb.freebsd.org/changeset/base/349366

Log:
  Follow the RFC 3128 and drop short TCP fragments with offset = 1.
  
  Reported by:	emaste
  MFC after:	1 week

Modified:
  head/sys/netpfil/ipfw/ip_fw2.c

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================

--- head/sys/netpfil/ipfw/ip_fw2.c	Tue Jun 25 09:11:22 2019	(r349365)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Tue Jun 25 11:40:37 2019	(r349366)
@@ -1719,6 +1719,11 @@ do {								\
 			default:
 				break;
 			}
+		} else {
+			if (offset == 1 && proto == IPPROTO_TCP) {
+				/* RFC 3128 */
+				goto pullup_failed;
+			}
 		}
 
 		UPDATE_POINTERS();
