From 22e5a60671a996341f0e5b7aa43ccc12130583ef Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Mon, 23 Jul 2012 13:18:23 -0400
Subject: [PATCH] Drop packet fragments in the BPF program.  No compliant stack
 should fragment DHCP messages anyway, since the IPv4 min MTU is 576 bytes and
 the max DHCP message size + IP and UDP headers is less than that, but it is
 still worth checking.

---
 ndhc/dhcp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ndhc/dhcp.c b/ndhc/dhcp.c
index cc060d8..b43cfe8 100644
--- a/ndhc/dhcp.c
+++ b/ndhc/dhcp.c
@@ -356,6 +356,12 @@ static int create_raw_listen_socket(struct client_state_t *cs, int ifindex)
         BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 9),
         BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 1, 0),
         BPF_STMT(BPF_RET + BPF_K, 0),
+        // Make certain that the packet is not a fragment.  All bits in
+        // the flag and fragment offset field must be set to zero except
+        // for the Evil and DF bits (0,1).
+        BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6),
+        BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x3fff, 0, 1),
+        BPF_STMT(BPF_RET + BPF_K, 0),
         // Packet is UDP.  Advance X past the IP header.
         BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 0),
         // Verify that the UDP client and server ports match that of the