Drop packet fragments in the BPF program. No compliant stack should fragment

DHCP messages anyway, since the IPv4 min MTU is 576 bytes and the max DHCP message size + IP and UDP headers is less than that, but it is still worth checking.
2012-07-23 13:18:23 -04:00 · 2012-07-23 13:18:23 -04:00 · 22e5a60671
commit 22e5a60671
parent 483ca6752d
1 changed files with 6 additions and 0 deletions
--- a/ndhc/dhcp.c
+++ b/ndhc/dhcp.c
@ -356,6 +356,12 @@ static int create_raw_listen_socket(struct client_state_t *cs, int ifindex)
        BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 9),
        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 1, 0),
        BPF_STMT(BPF_RET + BPF_K, 0),
+        // Make certain that the packet is not a fragment.  All bits in
+        // the flag and fragment offset field must be set to zero except
+        // for the Evil and DF bits (0,1).
+        BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 6),
+        BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x3fff, 0, 1),
+        BPF_STMT(BPF_RET + BPF_K, 0),
        // Packet is UDP.  Advance X past the IP header.
        BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 0),
        // Verify that the UDP client and server ports match that of the