netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol

author Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Mon, 16 Sep 2013 18:00:08 +0000 (20:00 +0200)

committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Mon, 16 Sep 2013 18:33:44 +0000 (20:33 +0200)
author Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 16 Sep 2013 18:00:08 +0000 (20:00 +0200)
committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 16 Sep 2013 18:33:44 +0000 (20:33 +0200)
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c

index 6fdf88ae2353b67be38c307fd8d4cb114594e624..dac156f819ac2f2fe25c876d800aadd2c47c0752 100644 (file)
--- a/net/netfilter/ipset/ip_set_getport.c
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -116,12 +116,12 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
  {
         int protoff;
         u8 nexthdr;
-       __be16 frag_off;
+       __be16 frag_off = 0;
  
         nexthdr = ipv6_hdr(skb)->nexthdr;
         protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
                                    &frag_off);
-       if (protoff < 0)
+       if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
                 return false;
  
         return get_port(skb, nexthdr, protoff, src, port, proto);
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Mon, 16 Sep 2013 18:00:08 +0000 (20:00 +0200)
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Mon, 16 Sep 2013 18:33:44 +0000 (20:33 +0200)