Skip really non-first fragments for IPv6 when getting port/protocol

author Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)

committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)
author Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)
committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)
diff --git a/kernel/net/netfilter/ipset/ip_set_getport.c b/kernel/net/netfilter/ipset/ip_set_getport.c

index 279a03c986208441b004c0e312e4c0af014c89d8..a0d96eb6271dfd06911e41407d920f3d45706b13 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_getport.c
+++ b/kernel/net/netfilter/ipset/ip_set_getport.c
@@ -135,9 +135,7 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
  {
         int protoff;
         u8 nexthdr;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
-       __be16 frag_off;
-#endif
+       __be16 frag_off = 0;
  
         nexthdr = ipv6_hdr(skb)->nexthdr;
  #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
@@ -146,7 +144,7 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
  #else
         protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr);
  #endif
-       if (protoff < 0)
+       if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
                 return false;
  
         return get_port(skb, nexthdr, protoff, src, port, proto);
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Fri, 31 May 2013 21:14:36 +0000 (23:14 +0200)