version 1.258, 2007/12/21 18:58:55 |
version 1.259, 2007/12/21 23:49:09 |
|
|
/* |
/* |
* Prevent TCP blind data attacks by not allowing non-initial |
* Prevent TCP blind data attacks by not allowing non-initial |
* fragments to start at less than 68 bytes (minimal fragment |
* fragments to start at less than 68 bytes (minimal fragment |
* size). |
* size) and making sure the first fragment is at least 68 |
|
* bytes. |
*/ |
*/ |
off = htons(ip->ip_off) & ~(IP_DF|IP_EF|IP_MF); |
off = htons(ip->ip_off) & ~(IP_DF|IP_EF|IP_MF); |
if (off > 0 && off + hlen < IP_MINFRAGSIZE - 1) { |
if ((off > 0 ? off + hlen : len) < IP_MINFRAGSIZE - 1) { |
ipstat.ips_badfrags++; |
ipstat.ips_badfrags++; |
goto bad; |
goto bad; |
} |
} |