Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment

of IP datagram.  This fixes the problem when firewall denied fragmented
packets whose last fragment was less than minimum protocol header size.

Found by:	Harti Brandt <brandt@fokus.gmd.de>
PR:		kern/22309

1 files changed, 11 insertions, 16 deletions

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 3d0a459..c3637b5 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -970,25 +970,20 @@ ip_fw_chk(struct ip **pip, int hlen,
 				    goto bogusfrag;			\
 				ip = mtod(*m, struct ip *);		\
 				*pip = ip;				\
-				offset = (ip->ip_off & IP_OFFMASK);	\
 			    }						\
 			} while (0)
 
 	/*
 	 * Collect parameters into local variables for faster matching.
 	 */
+	proto = ip->ip_p;
+	src_ip = ip->ip_src;
+	dst_ip = ip->ip_dst;
 	offset = (ip->ip_off & IP_OFFMASK);
-	{
+	if (offset == 0) {
 	    struct tcphdr *tcp;
 	    struct udphdr *udp;
 
-	    dst_ip = ip->ip_dst ;
-	    src_ip = ip->ip_src ;
-	    proto = ip->ip_p ;
-	    /*
-	     * warning - if offset != 0, port values are bogus.
-	     * Not a problem for ipfw, but could be for dummynet.
-	     */
 	    switch (proto) {
 	    case IPPROTO_TCP :
 		PULLUP_TO(hlen + sizeof(struct tcphdr));
@@ -1014,14 +1009,14 @@ ip_fw_chk(struct ip **pip, int hlen,
 	    default :
 		break;
 	    }
-#undef PULLUP_TO
-	    last_pkt.src_ip = ntohl(src_ip.s_addr) ;
-	    last_pkt.dst_ip = ntohl(dst_ip.s_addr) ;
-	    last_pkt.proto = proto ;
-	    last_pkt.src_port = ntohs(src_port) ;
-	    last_pkt.dst_port = ntohs(dst_port) ;
-	    last_pkt.flags = flags ;
 	}
+#undef PULLUP_TO
+	last_pkt.src_ip = ntohl(src_ip.s_addr);
+	last_pkt.dst_ip = ntohl(dst_ip.s_addr);
+	last_pkt.proto = proto;
+	last_pkt.src_port = ntohs(src_port);
+	last_pkt.dst_port = ntohs(dst_port);
+	last_pkt.flags = flags;
 
 	if (*flow_id) {
 		/* Accept if passed first test */