diff options
| author | Tom Herbert <tom@quantonium.net> | 2017-09-01 14:04:12 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-09-05 11:40:08 -0700 |
| commit | 1eed4dfb81b193af3299edeed2827337f9999e78 (patch) | |
| tree | 47563e759a4e046e163078c1898949814416c1cf /crypto/pcbc.c | |
| parent | 3a1214e8b06317b4e71cd3a36344df87b7858e19 (diff) | |
| download | linux-1eed4dfb81b193af3299edeed2827337f9999e78.tar.bz2 | |
flow_dissector: Add limit for number of headers to dissect
In flow dissector there are no limits to the number of nested
encapsulations or headers that might be dissected which makes for a
nice DOS attack. This patch sets a limit of the number of headers
that flow dissector will parse.
Headers includes network layer headers, transport layer headers, shim
headers for encapsulation, IPv6 extension headers, etc. The limit for
maximum number of headers to parse has be set to fifteen to account for
a reasonable number of encapsulations, extension headers, VLAN,
in a packet. Note that this limit does not supercede the STOP_AT_*
flags which may stop processing before the headers limit is reached.
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Tom Herbert <tom@quantonium.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'crypto/pcbc.c')
0 files changed, 0 insertions, 0 deletions