Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.250.4.5
retrieving revision 1.258
diff -u -p -r1.250.4.5 -r1.258
--- src/sys/netinet/ip_input.c	2007/11/11 16:48:31	1.250.4.5
+++ src/sys/netinet/ip_input.c	2007/12/21 18:58:55	1.258
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.250.4.5 2007/11/11 16:48:31 joerg Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.250.4.5 2007/11/11 16:48:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $");
 
 #include "opt_inet.h"
 #include "opt_gateway.h"
@@ -896,7 +896,17 @@ ours:
 	 * but it's not worth the time; just let them time out.)
 	 */
 	if (ip->ip_off & ~htons(IP_DF|IP_RF)) {
-
+		uint16_t off;
+		/*
+		 * Prevent TCP blind data attacks by not allowing non-initial
+		 * fragments to start at less than 68 bytes (minimal fragment
+		 * size).
+		 */
+		off = htons(ip->ip_off) & ~(IP_DF|IP_EF|IP_MF);
+		if (off > 0 && off + hlen < IP_MINFRAGSIZE - 1) {
+			ipstat.ips_badfrags++;
+			goto bad;
+		}
 		/*
 		 * Look for queue of fragments
 		 * of this datagram.
@@ -1776,12 +1786,15 @@ ip_srcroute(void)
 }
 
 const int inetctlerrmap[PRC_NCMDS] = {
-	0,		0,		0,		0,
-	0,		EMSGSIZE,	EHOSTDOWN,	EHOSTUNREACH,
-	EHOSTUNREACH,	EHOSTUNREACH,	ECONNREFUSED,	ECONNREFUSED,
-	EMSGSIZE,	EHOSTUNREACH,	0,		0,
-	0,		0,		0,		0,
-	ENOPROTOOPT
+	[PRC_MSGSIZE] = EMSGSIZE,
+	[PRC_HOSTDEAD] = EHOSTDOWN,
+	[PRC_HOSTUNREACH] = EHOSTUNREACH,
+	[PRC_UNREACH_NET] = EHOSTUNREACH,
+	[PRC_UNREACH_HOST] = EHOSTUNREACH,
+	[PRC_UNREACH_PROTOCOL] = ECONNREFUSED,
+	[PRC_UNREACH_PORT] = ECONNREFUSED,
+	[PRC_UNREACH_SRCFAIL] = EHOSTUNREACH,
+	[PRC_PARAMPROB] = ENOPROTOOPT,
 };
 
 /*
@@ -1931,8 +1944,8 @@ ip_forward(struct mbuf *m, int srcrt)
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_NEEDFRAG;
 #if !defined(IPSEC) && !defined(FAST_IPSEC)
-		if (ipforward_rt.ro_rt != NULL)
-			destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu;
+		if ((rt = rtcache_getrt(&ipforward_rt)) != NULL)
+			destmtu = rt->rt_ifp->if_mtu;
 #else
 		/*
 		 * If the packet is routed over IPsec tunnel, tell the
@@ -1940,7 +1953,7 @@ ip_forward(struct mbuf *m, int srcrt)
 		 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
 		 * XXX quickhack!!!
 		 */
-		if (ipforward_rt.ro_rt != NULL) {
+		if ((rt = rtcache_getrt(&ipforward_rt)) != NULL) {
 			struct secpolicy *sp;
 			int ipsecerror;
 			size_t ipsechdr;
@@ -1951,7 +1964,7 @@ ip_forward(struct mbuf *m, int srcrt)
 			    &ipsecerror);
 
 			if (sp == NULL)
-				destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu;
+				destmtu = rt->rt_ifp->if_mtu;
 			else {
 				/* count IPsec header size */
 				ipsechdr = ipsec4_hdrsiz(mcopy,
@@ -1966,11 +1979,11 @@ ip_forward(struct mbuf *m, int srcrt)
 				 && sp->req->sav != NULL
 				 && sp->req->sav->sah != NULL) {
 					ro = &sp->req->sav->sah->sa_route;
-					if (ro->ro_rt && ro->ro_rt->rt_ifp) {
+					if (rt && rt->rt_ifp) {
 						destmtu =
-						    ro->ro_rt->rt_rmx.rmx_mtu ?
-						    ro->ro_rt->rt_rmx.rmx_mtu :
-						    ro->ro_rt->rt_ifp->if_mtu;
+						    rt->rt_rmx.rmx_mtu ?
+						    rt->rt_rmx.rmx_mtu :
+						    rt->rt_ifp->if_mtu;
 						destmtu -= ipsechdr;
 					}
 				}