[NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets

Mon Feb 12 11:36:51 CET 2007

[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets

Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).

We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.

Signed-off-by: Masahide NAKAMURA <nakam at linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber at trash.net>

---
commit a7b4ff1031d3e62fad2b7da2068bb5deb2041325
tree ba6d4b4517999ebf0876a5618640276a6a251503
parent 353c941b0735b883510bfd7bb98fcd4fc8a0ee08
author Masahide NAKAMURA <nakam at linux-ipv6.org> Mon, 12 Feb 2007 11:08:11 +0100
committer Patrick McHardy <kaber at trash.net> Mon, 12 Feb 2007 11:08:11 +0100

 net/ipv6/netfilter/ip6t_mh.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6..c2a9098 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
+	if (mh->ip6mh_proto != IPPROTO_NONE) {
+		duprintf("Dropping invalid MH Payload Proto: %u\n",
+			 mh->ip6mh_proto);
+		*hotdrop = 1;
+		return 0;
+	}
+
 	return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
 			  !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }

