netfilter: nft_flow_offload: IPCB is only valid for ipv4 family

Guard this with a check vs. ipv4, IPCB isn't valid in ipv6 case.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 11 insertions, 6 deletions

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index c97c03c3939a..d70742e95e14 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -48,15 +48,20 @@ static int nft_flow_route(const struct nft_pktinfo *pkt,
         return 0;
 }
 
-static bool nft_flow_offload_skip(struct sk_buff *skb)
+static bool nft_flow_offload_skip(struct sk_buff *skb, int family)
 {
-        struct ip_options *opt  = &(IPCB(skb)->opt);
-
-        if (unlikely(opt->optlen))
-                return true;
         if (skb_sec_path(skb))
                 return true;
 
+        if (family == NFPROTO_IPV4) {
+                const struct ip_options *opt;
+
+                opt = &(IPCB(skb)->opt);
+
+                if (unlikely(opt->optlen))
+                        return true;
+        }
+
         return false;
 }
 
@@ -74,7 +79,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
         struct nf_conn *ct;
         int ret;
 
-        if (nft_flow_offload_skip(pkt->skb))
+        if (nft_flow_offload_skip(pkt->skb, nft_pf(pkt)))
                 goto out;
 
         ct = nf_ct_get(pkt->skb, &ctinfo);