On Wed, Nov 28, 2018 at 2:16 PM Cong Wang <[email protected]> wrote:
>
> On Wed, Nov 28, 2018 at 7:00 AM Eric Dumazet <[email protected]> wrote:
> >
> > Nice packet of death alert.
> >
> > pad_len can be 0xFFFFFF67 here, if frame_len is smaller than pad_offset.
>
> Unless IP header is malformed, how could it be?
This is totally something an attacker can forge.
ip_rcv_core()
...
len = ntohs(iph->tot_len);
if (skb->len < len) {
__IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
goto drop;
No crash, but we drop and increment appropriate SNMP counter.
