Gitweb:
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=138939e0662ccb0e805aefe400bcf9cfcbece8e7
Commit: 138939e0662ccb0e805aefe400bcf9cfcbece8e7
Parent: 601e68e100b6bf8ba13a32db8faf92d43acaa997
Author: Masahide NAKAMURA <[EMAIL PROTECTED]>
AuthorDate: Mon Feb 12 11:16:17 2007 -0800
Committer: David S. Miller <[EMAIL PROTECTED]>
CommitDate: Mon Feb 12 11:16:17 2007 -0800
[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets
Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).
We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]>
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
net/ipv6/netfilter/ip6t_mh.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6..c2a9098 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
return 0;
}
+ if (mh->ip6mh_proto != IPPROTO_NONE) {
+ duprintf("Dropping invalid MH Payload Proto: %u\n",
+ mh->ip6mh_proto);
+ *hotdrop = 1;
+ return 0;
+ }
+
return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
}
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
