[Dnsmasq-discuss] CVE-2015-7547 tcp path mitigation hack
Rick Jones
rick.jones2 at hpe.com
Thu Feb 18 19:35:00 GMT 2016
On 02/18/2016 10:24 AM, Louis Munro wrote:
> This is what I have come up with for now:
>
> iptables -I INPUT -p tcp -m tcp --sport 53 -m length --length 1024:4096
> -j DROP
> iptables -I INPUT -p udp -m udp --sport 53 -m length --length 1024:4096
> -j DROP
>
> 4096 is really just some large number here.
> I could go higher if jumbo frames might be involved.
Generic Receive Offload (GRO) may be sufficient to get larger segments
even without JumboFrames. If you want duct-tape added to the belt and
suspenders, you might consider taking it out to 65535 - I'm pretty sure
that nothing will "GRO" beyond that size.
> Of course, this is a band-aid solution.
> There is no substitute for updating glibc in the end.
Indeed.
> But I digress, this is getting off track and is not really relevant to
> this list.
Perhaps, but it does go to how long one might be expected to carry along
bandaids/kludges in the likes of dnsmasq.
rick jones
More information about the Dnsmasq-discuss
mailing list