--- zzzz-none-000/linux-4.9.276/net/ipv4/ip_fragment.c	2021-07-20 14:21:16.000000000 +0000
+++ falcon-5530-750/linux-4.9.276/net/ipv4/ip_fragment.c	2023-04-05 08:19:02.000000000 +0000
@@ -670,8 +670,13 @@
 	 * we will prune down to 3MB, making room for approx 8 big 64K
 	 * fragments 8x128k.
 	 */
-	net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
-	net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
+	net->ipv4.frags.high_thresh = 256 * 1024; /* Fragmentsmack CVE-2018-5391 */
+	net->ipv4.frags.low_thresh = 192 * 1024;
+	/*
+         * old default values
+         * net->ipv4.frags.high_thresh =  4 * 1024 * 1024 ;
+	 * net->ipv4.frags.low_thresh  =  3 * 1024 * 1024;
+         */
 	/*
 	 * Important NOTE! Fragment queue must be destroyed before MSL expires.
 	 * RFC791 is wrong proposing to prolongate timer each fragment arrival