[PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram
@ 2026-02-25 13:37 Fernando Fernandez Mancera
  2026-02-28  3:20 ` patchwork-bot+netdevbpf
  0 siblings, 1 reply; 3+ messages in thread
From: Fernando Fernandez Mancera @ 2026-02-25 13:37 UTC (permalink / raw)
  To: netdev
  Cc: horms, pabeni, kuba, edumazet, dsahern, davem,
	Fernando Fernandez Mancera

Currently the kernel IPv6 implementation is not dicarding the fragment
queue upon receiving a IPv6 fragment that is not 8 bytes aligned. It
relies on queue expiration to free the queue.

While RFC 8200 section 4.5 does not explicitly mention that the rest of
fragments must be discarded, it does not make sense to keep them. The
parameter problem message is sent regardless that. In addition, if the
sender is able to re-compose the datagram so it is 8 bytes aligned it
would qualify as a new whole datagram not fitting into the same fragment
queue.

The same situation happens if segment end is exceeding the IPv6 maximum
packet length. The sooner we can free resources the better during
reassembly, the better.

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
v2: handle segment end bigger than IPv6 maximum packet length 
---
 net/ipv6/reassembly.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 25ec8001898d..11f9144bebbe 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -132,6 +132,9 @@ static int ip6_frag_queue(struct net *net,
 		/* note that if prob_offset is set, the skb is freed elsewhere,
 		 * we do not free it here.
 		 */
+		inet_frag_kill(&fq->q, refs);
+		__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+				IPSTATS_MIB_REASMFAILS);
 		return -1;
 	}

@@ -163,6 +166,9 @@ static int ip6_frag_queue(struct net *net,
 			 * this case. -DaveM
 			 */
 			*prob_offset = offsetof(struct ipv6hdr, payload_len);
+			inet_frag_kill(&fq->q, refs);
+			__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+					IPSTATS_MIB_REASMFAILS);
 			return -1;
 		}
 		if (end > fq->q.len) {
-- 
2.53.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram
  2026-02-25 13:37 [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram Fernando Fernandez Mancera
@ 2026-02-28  3:20 ` patchwork-bot+netdevbpf
  2026-02-28  3:56   ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-02-28  3:20 UTC (permalink / raw)
  To: Fernando Fernandez Mancera
  Cc: netdev, horms, pabeni, kuba, edumazet, dsahern, davem

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 25 Feb 2026 14:37:58 +0100 you wrote:
> Currently the kernel IPv6 implementation is not dicarding the fragment
> queue upon receiving a IPv6 fragment that is not 8 bytes aligned. It
> relies on queue expiration to free the queue.
> 
> While RFC 8200 section 4.5 does not explicitly mention that the rest of
> fragments must be discarded, it does not make sense to keep them. The
> parameter problem message is sent regardless that. In addition, if the
> sender is able to re-compose the datagram so it is 8 bytes aligned it
> would qualify as a new whole datagram not fitting into the same fragment
> queue.
> 
> [...]

Here is the summary with links:
  - [net-next,v2] ipv6: discard fragment queue earlier if there is malformed datagram
    https://git.kernel.org/netdev/net-next/c/9ff2d2a98370

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram
  2026-02-28  3:20 ` patchwork-bot+netdevbpf
@ 2026-02-28  3:56   ` Eric Dumazet
  0 siblings, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2026-02-28  3:56 UTC (permalink / raw)
  To: patchwork-bot+netdevbpf
  Cc: Fernando Fernandez Mancera, netdev, horms, pabeni, kuba, dsahern,
	davem

On Sat, Feb 28, 2026 at 4:20 AM <patchwork-bot+netdevbpf@kernel.org> wrote:
>
> Hello:
>
> This patch was applied to netdev/net-next.git (main)
> by Jakub Kicinski <kuba@kernel.org>:
>
> On Wed, 25 Feb 2026 14:37:58 +0100 you wrote:
> > Currently the kernel IPv6 implementation is not dicarding the fragment
> > queue upon receiving a IPv6 fragment that is not 8 bytes aligned. It
> > relies on queue expiration to free the queue.
> >
> > While RFC 8200 section 4.5 does not explicitly mention that the rest of
> > fragments must be discarded, it does not make sense to keep them. The
> > parameter problem message is sent regardless that. In addition, if the
> > sender is able to re-compose the datagram so it is 8 bytes aligned it
> > would qualify as a new whole datagram not fitting into the same fragment
> > queue.
> >
> > [...]
>
> Here is the summary with links:
>   - [net-next,v2] ipv6: discard fragment queue earlier if there is malformed datagram
>     https://git.kernel.org/netdev/net-next/c/9ff2d2a98370
>
> You are awesome, thank you!
> --
> Deet-doot-dot, I am a bot.
> https://korg.docs.kernel.org/patchwork/pwbot.html
>
>

I somehow missed the V2

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-28  3:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 13:37 [PATCH net-next v2] ipv6: discard fragment queue earlier if there is malformed datagram Fernando Fernandez Mancera
2026-02-28  3:20 ` patchwork-bot+netdevbpf
2026-02-28  3:56   ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox