DF-0519
ICMP PMTUD accepts attacker-controlled nextmtu: PMTU poisoning via unauthenticated frag-needed
Summary
icmp_mtudisc(:282-304): rtpurelookup on embedded ip_dst, if route rmx_locks lacks RTV_MTU writes rt_rmx.rmx_mtu=ntohs(icmp_nextmtu) for any attacker value>=296. No validation ICMP originated from trusted on-path router (ICMP unauth by design). No cross-check against route gateway. Off-path spoofer forces host route PMTU down to 296 -> throughput degradation. Bounded below at 296. RFC 4450 classic. Inherent to ICMP PMTUD. Fix: validate ICMP source against route gateway, accept only ip_next_mtu plateau reductions.