reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-05-16 14:35:46 +02:00
parent b388e1a506
commit 3a343d42d7
11 changed files with 181 additions and 13 deletions
--- a/test/test_ipip.py
+++ b/test/test_ipip.py
@ -160,6 +160,11 @@ class TestIPIP(VppTestCase):
            sw_if_index=self.pg1.sw_if_index,
            enable_ip4=1)

+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=0)
+
        # Send lots of fragments, verify reassembled packet
        frags, p4_reply = self.generate_ip4_frags(3131, 1400)
        f = []
@ -415,6 +420,11 @@ class TestIPIP6(VppTestCase):
            sw_if_index=self.pg1.sw_if_index,
            enable_ip6=1)

+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=1)
+
        # Send lots of fragments, verify reassembled packet
        before_cnt = self.statistics.get_counter(
            '/err/ipip6-input/packets decapsulated')