ipv6: drop packets with multiple fragmentation headers

[ Upstream commit f46078cfcd77fa5165bf849f5e568a7ac5fa569c ]

It is not allowed for an ipv6 packet to contain multiple fragmentation
headers. So discard packets which were already reassembled by
fragmentation logic and send back a parameter problem icmp.

The updates for RFC 6980 will come in later, I have to do a bit more
research here.

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 790d9f4b8b0b..1aeb473b2cc6 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -490,6 +490,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
         ipv6_hdr(head)->payload_len = htons(payload_len);
         ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
         IP6CB(head)->nhoff = nhoff;
+        IP6CB(head)->flags |= IP6SKB_FRAGMENTED;
 
         /* Yes, and fold redundant checksum back. 8) */
         if (head->ip_summed == CHECKSUM_COMPLETE)
@@ -524,6 +525,9 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
         struct net *net = dev_net(skb_dst(skb)->dev);
         int evicted;
 
+        if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
+                goto fail_hdr;
+
         IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
 
         /* Jumbo payload inhibits frag. header */
@@ -544,6 +548,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
                                  ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
 
                 IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
+                IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
                 return 1;
         }