Hello everyone who develops the kernel.
At the beginning I was looking for the source author, but his email address has
expired, so I can only come here to ask questions.
The problem is in the /net/ipv6/reassembly.c file, the author is Pedro Roque.
I found some strange places when I read the code for this file (Linux Kernel
version 4.18).
In the "/net/ipv6/reassembly.c"
In the function "ip6_frag_queue"
offset = ntohs(fhdr->frag_off) & ~0x7;
end = offset + (ntohs(ipv6_hdr(skb)->payload_len) -
((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
if ((unsigned int)end > IPV6_MAXPLEN) {
*prob_offset = (u8 *)&fhdr->frag_off - skb_network_header(skb);
return -1;
}
Here the length of the payload is judged.
And in the function "ip6_frag_reasm"
payload_len = ((head->data - skb_network_header(head)) -
sizeof(struct ipv6hdr) + fq->q.len -
sizeof(struct frag_hdr));
if (payload_len > IPV6_MAXPLEN)
goto out_oversize;
......
out_oversize:
net_dbg_ratelimited("ip6_frag_reasm: payload len = %d\n",
payload_len);
goto out_fail;
Here also judges the length of the payload.
Judged the payload length twice.
I tested that the code in the label "out_oversize:" does not execute at all,
because it has been returned in "ip6_frag_queue".
Unless I comment out the code that judge the payload length in the function
"ip6_frag_queue", the code labeled "out_oversize:" can be executed.
So, is this repeated?
