patch 'ip_frag: reject oversized reassembled datagrams' has been queued to stable release 24.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Jul 6 12:20:59 CEST 2026


Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/05/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/a416b4b4413c9916c9618407149766f4ad482018

Thanks.

Luca Boccassi

---
>From a416b4b4413c9916c9618407149766f4ad482018 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Wed, 1 Jul 2026 09:20:30 -0700
Subject: [PATCH] ip_frag: reject oversized reassembled datagrams

[ upstream commit 23fd984a5a6b21cd5908a2430358e32d01441722 ]

The reassembled total length of a packet must not exceed 65535.
A fragment with a high offset could drive the sum past that,
causing silent truncation since IP payload_len/total_length is 16 bits.

When reassembling a packet the total length should not be allowed
to exceed 65535. A fragment with high offset could drive the sum
past that, causing silent truncation.

A valid datagram never exceeds 65535 bytes, so reject any fragment
whose resulting length would exceed that.
Fold the test into the existing zero-length check.

Fixes: cc8f4d020c0b ("examples/ip_reassembly: initial import")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
---
 lib/ip_frag/rte_ipv4_reassembly.c | 9 +++++++--
 lib/ip_frag/rte_ipv6_reassembly.c | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/ip_frag/rte_ipv4_reassembly.c b/lib/ip_frag/rte_ipv4_reassembly.c
index 103f28bada..c37d8f0f8c 100644
--- a/lib/ip_frag/rte_ipv4_reassembly.c
+++ b/lib/ip_frag/rte_ipv4_reassembly.c
@@ -134,8 +134,13 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
 		tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
 		tbl->use_entries);
 
-	/* check that fragment length is greater then zero. */
-	if (ip_len <= 0) {
+	/*
+	 * Drop fragments with no payload, and any fragment whose end would
+	 * make the reassembled datagram exceed the maximum IPv4 size. The
+	 * total_length field is 16 bits, so otherwise it is silently
+	 * truncated while the mbuf still holds the full length.
+	 */
+	if (ip_len <= 0 || ip_ofs + ip_len + mb->l3_len > UINT16_MAX) {
 		IP_FRAG_MBUF2DR(dr, mb);
 		return NULL;
 	}
diff --git a/lib/ip_frag/rte_ipv6_reassembly.c b/lib/ip_frag/rte_ipv6_reassembly.c
index 4197fbfd85..71c65f88d4 100644
--- a/lib/ip_frag/rte_ipv6_reassembly.c
+++ b/lib/ip_frag/rte_ipv6_reassembly.c
@@ -172,8 +172,13 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
 		tbl, tbl->max_cycles, tbl->entry_mask, tbl->max_entries,
 		tbl->use_entries);
 
-	/* check that fragment length is greater then zero. */
-	if (ip_len <= 0) {
+	/*
+	 * Drop fragments with no payload, and any fragment whose end would
+	 * make the reassembled payload exceed 65535 bytes. The payload_len
+	 * field is 16 bits, so otherwise it is silently truncated while the
+	 * mbuf still holds the full length.
+	 */
+	if (ip_len <= 0 || ip_ofs + ip_len > UINT16_MAX) {
 		IP_FRAG_MBUF2DR(dr, mb);
 		return NULL;
 	}
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-07-03 12:55:49.227926774 +0100
+++ 0067-ip_frag-reject-oversized-reassembled-datagrams.patch	2026-07-03 12:55:46.714575135 +0100
@@ -1 +1 @@
-From 23fd984a5a6b21cd5908a2430358e32d01441722 Mon Sep 17 00:00:00 2001
+From a416b4b4413c9916c9618407149766f4ad482018 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 23fd984a5a6b21cd5908a2430358e32d01441722 ]
+
@@ -19 +20,0 @@
-Cc: stable at dpdk.org
@@ -24,21 +25,4 @@
- doc/guides/rel_notes/release_26_07.rst | 3 ++-
- lib/ip_frag/rte_ipv4_reassembly.c      | 9 +++++++--
- lib/ip_frag/rte_ipv6_reassembly.c      | 9 +++++++--
- 3 files changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/doc/guides/rel_notes/release_26_07.rst b/doc/guides/rel_notes/release_26_07.rst
-index bb3ad50dd6..e2b7b8dbb3 100644
---- a/doc/guides/rel_notes/release_26_07.rst
-+++ b/doc/guides/rel_notes/release_26_07.rst
-@@ -305,9 +305,10 @@ API Changes
- 
-   - Duplicate fragments are tolerated instead of failing reassembly.
-   - Overlapping fragments are rejected on arrival rather than during reassembly.
-+  - Oversized fragments (reassembled length over 65535) are rejected.
-   - For IPv6, fragments with per-fragment extension headers are rejected.
- 
--  Overlap is now detected on arrival, which adds a scan of the
-+  Overlap and oversize are now detected on arrival, which adds a scan of the
-   already received fragments per fragment and may affect throughput.
- 
- 
+ lib/ip_frag/rte_ipv4_reassembly.c | 9 +++++++--
+ lib/ip_frag/rte_ipv6_reassembly.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
@@ -46 +30 @@
-index 980f7a3b77..727fc58243 100644
+index 103f28bada..c37d8f0f8c 100644
@@ -49 +33 @@
-@@ -136,8 +136,13 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
+@@ -134,8 +134,13 @@ rte_ipv4_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
@@ -66 +50 @@
-index b6f623d53b..9aa2f2d08b 100644
+index 4197fbfd85..71c65f88d4 100644
@@ -69 +53 @@
-@@ -174,8 +174,13 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,
+@@ -172,8 +172,13 @@ rte_ipv6_frag_reassemble_packet(struct rte_ip_frag_tbl *tbl,


More information about the stable mailing list