Bug 62

Summary: passt/pasta silently mishandles IPv4 fragments received on tap interface
Product: passt Reporter: David Gibson <dgibson>
Component: IPv4Assignee: David Gibson <dgibson>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 55    

Description David Gibson 2023-07-04 03:06:27 UTC 
passt has no support for handling IPv4 fragmentation.  This doesn't generally cause a problem, because our tap-side MTU is so large that fragmentation will almost never occur in practice.

If for some reason (e.g. a misconfigured or malicious guest) we do receive IPv4 fragments from the guest, we will not give an error but misinterpret them: we'll treat each fragment as if it was an entire IP packets, which could have strange, hard to debug effects (bug 55 is a fairly tame example)

Handling IPv4 defragmentation is complicated, and probably not useful for real cases.  However we should at least print some sort of error so that it's obvious what's going on if we do hit one of these edge cases.
Comment 1 David Gibson 2023-07-04 04:36:36 UTC 
Patch sent.
Comment 2 David Gibson 2023-07-08 08:32:50 UTC 
Patch merged.