From: Fernando Fernandez Mancera <fmancera@suse.de>
To: netdev@vger.kernel.org
Cc: horms@kernel.org, pabeni@redhat.com, kuba@kernel.org,
edumazet@google.com, dsahern@kernel.org, davem@davemloft.net,
Fernando Fernandez Mancera <fmancera@suse.de>
Subject: [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram
Date: Wed, 25 Feb 2026 14:37:58 +0100 [thread overview]
Message-ID: <20260225133758.4553-1-fmancera@suse.de> (raw)
Currently the kernel IPv6 implementation is not dicarding the fragment
queue upon receiving a IPv6 fragment that is not 8 bytes aligned. It
relies on queue expiration to free the queue.
While RFC 8200 section 4.5 does not explicitly mention that the rest of
fragments must be discarded, it does not make sense to keep them. The
parameter problem message is sent regardless that. In addition, if the
sender is able to re-compose the datagram so it is 8 bytes aligned it
would qualify as a new whole datagram not fitting into the same fragment
queue.
The same situation happens if segment end is exceeding the IPv6 maximum
packet length. The sooner we can free resources the better during
reassembly, the better.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
v2: handle segment end bigger than IPv6 maximum packet length
---
net/ipv6/reassembly.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 25ec8001898d..11f9144bebbe 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -132,6 +132,9 @@ static int ip6_frag_queue(struct net *net,
/* note that if prob_offset is set, the skb is freed elsewhere,
* we do not free it here.
*/
+ inet_frag_kill(&fq->q, refs);
+ __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_REASMFAILS);
return -1;
}
@@ -163,6 +166,9 @@ static int ip6_frag_queue(struct net *net,
* this case. -DaveM
*/
*prob_offset = offsetof(struct ipv6hdr, payload_len);
+ inet_frag_kill(&fq->q, refs);
+ __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_REASMFAILS);
return -1;
}
if (end > fq->q.len) {
--
2.53.0
next reply other threads:[~2026-02-25 13:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-25 13:37 Fernando Fernandez Mancera [this message]
2026-02-28 3:20 ` [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram patchwork-bot+netdevbpf
2026-02-28 3:56 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260225133758.4553-1-fmancera@suse.de \
--to=fmancera@suse.de \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox