Mitigate CVE-2018-5391 by sysctl (#1948)

Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
sonic-net · Aug 19, 2018 · 275b583 · 275b583
1 parent cd8f6c8
commit 275b583
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -272,6 +272,7 @@ check system $HOST
 EOF
 
 ## Config sysctl
+## TODO: ipfrag* are for mitigating CVE-2018-5391, remove after kernel upgraded
 sudo mkdir -p $FILESYSTEM_ROOT/var/core
 sudo augtool --autosave "
 set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p'
@@ -309,6 +310,9 @@ set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_ra_defrtr 0
 
 set /files/etc/sysctl.conf/net.core.rmem_max 2097152
 set /files/etc/sysctl.conf/net.core.wmem_max 2097152
+
+set /files/etc/sysctl.conf/net.ipv4.ipfrag_high_thresh 262144
+set /files/etc/sysctl.conf/net.ipv4.ipfrag_low_thresh 196608
 " -r $FILESYSTEM_ROOT
 
 ## docker-py is needed by Ansible docker module