From: Wouter Wijngaards Date: Thu, 10 Apr 2014 08:35:45 +0000 (+0000) Subject: - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation X-Git-Tag: release-1.5.0rc1~151 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=470b7bda8763c36a7db255d1d981f3ae06d41ba0;p=thirdparty%2Funbound.git - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation option for DNS fragmentation defense. git-svn-id: file:///svn/unbound/trunk@3107 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 383dafaf8..8fda4c683 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,7 @@ 10 April 2014: Wouter - iana portlist updated. + - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation + option for DNS fragmentation defense. 8 April 2014: Wouter - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 8b1d62e3a..49059f83a 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -362,11 +362,26 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, # endif /* IPv6 MTU */ } else if(family == AF_INET) { # if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) +/* linux 3.15 has IP_PMTUDISC_OMIT, Hannes Frederic Sowa made it so that + * PMTU information is not accepted, but fragmentation is allowed + * if and only if the packet size exceeds the outgoing interface MTU + * (and also uses the interface mtu to determine the size of the packets). + * So there won't be any EMSGSIZE error. Against DNS fragmentation attacks. + * FreeBSD already has same semantics without setting the option. */ +# if defined(IP_PMTUDISC_OMIT) + int action = IP_PMTUDISC_OMIT; +# else int action = IP_PMTUDISC_DONT; +# endif if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action, (socklen_t)sizeof(action)) < 0) { log_err("setsockopt(..., IP_MTU_DISCOVER, " - "IP_PMTUDISC_DONT...) failed: %s", +# if defined(IP_PMTUDISC_OMIT) + "IP_PMTUDISC_OMIT" +# else + "IP_PMTUDISC_DONT" +# endif + "...) failed: %s", strerror(errno)); # ifndef USE_WINSOCK close(s);