netfilter: ipset: Skip really non-first fragments for IPv6 when getti…

…ng port/protocol Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
git-mirror · Sep 16, 2013 · 55524c2 · 55524c2
1 parent d830f0f
commit 55524c2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
@@ -116,12 +116,12 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
 {
 	int protoff;
 	u8 nexthdr;
-	__be16 frag_off;
+	__be16 frag_off = 0;
 
 	nexthdr = ipv6_hdr(skb)->nexthdr;
 	protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
 				   &frag_off);
-	if (protoff < 0)
+	if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
 		return false;
 
 	return get_port(skb, nexthdr, protoff, src, port, proto);