From: Jozsef Kadlecsik Date: Mon, 16 Sep 2013 18:00:08 +0000 (+0200) Subject: netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol X-Git-Tag: accepted/tizen/common/20141203.182822~1423^2~10^2~4 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=55524c219aa803887d1c247853842a9566598cba;p=platform%2Fkernel%2Flinux-arm64.git netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol Signed-off-by: Jozsef Kadlecsik --- diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c index 6fdf88a..dac156f 100644 --- a/net/netfilter/ipset/ip_set_getport.c +++ b/net/netfilter/ipset/ip_set_getport.c @@ -116,12 +116,12 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src, { int protoff; u8 nexthdr; - __be16 frag_off; + __be16 frag_off = 0; nexthdr = ipv6_hdr(skb)->nexthdr; protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off); - if (protoff < 0) + if (protoff < 0 || (frag_off & htons(~0x7)) != 0) return false; return get_port(skb, nexthdr, protoff, src, port, proto);