diff options
| author | David S. Miller <davem@davemloft.net> | 2012-04-10 14:38:31 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-04-10 14:38:31 -0400 |
| commit | ecd159fc5f415fa742d5daa5b43200606e6ad493 (patch) | |
| tree | 3f2996088bdf0d275d6b5fdb3cc184f80a12e21f /net/ipv4 | |
| parent | f68e556e23d1a4176b563bcb25d8baf2c5313f91 (diff) | |
| parent | 6ba900676bec8baaf61aa2f85b7345c0e65774d9 (diff) | |
| download | op-kernel-dev-ecd159fc5f415fa742d5daa5b43200606e6ad493.zip op-kernel-dev-ecd159fc5f415fa742d5daa5b43200606e6ad493.tar.gz | |
Merge branch 'master' of git://1984.lsi.us.es/net
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index de9da21..cf73cc7 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -74,16 +74,24 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); if (iph == NULL) - return -NF_DROP; + return -NF_ACCEPT; /* Conntrack defragments packets, we might still see fragments * inside ICMP packets though. */ if (iph->frag_off & htons(IP_OFFSET)) - return -NF_DROP; + return -NF_ACCEPT; *dataoff = nhoff + (iph->ihl << 2); *protonum = iph->protocol; + /* Check bogus IP headers */ + if (*dataoff > skb->len) { + pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: " + "nhoff %u, ihl %u, skblen %u\n", + nhoff, iph->ihl << 2, skb->len); + return -NF_ACCEPT; + } + return NF_ACCEPT; } |
