ipv6: drop packets with multiple fragmentation headers

It is not allowed for an ipv6 packet to contain multiple fragmentation
headers. So discard packets which were already reassembled by
fragmentation logic and send back a parameter problem icmp.

The updates for RFC 6980 will come in later, I have to do a bit more
research here.

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 5 insertions, 0 deletions

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 790d9f4b8b0b..1aeb473b2cc6 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -490,6 +490,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
         ipv6_hdr(head)->payload_len = htons(payload_len);
         ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
         IP6CB(head)->nhoff = nhoff;
+        IP6CB(head)->flags |= IP6SKB_FRAGMENTED;
 
         /* Yes, and fold redundant checksum back. 8) */
         if (head->ip_summed == CHECKSUM_COMPLETE)
@@ -524,6 +525,9 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
         struct net *net = dev_net(skb_dst(skb)->dev);
         int evicted;
 
+        if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
+                goto fail_hdr;
+
         IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
 
         /* Jumbo payload inhibits frag. header */
@@ -544,6 +548,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
                                  ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
 
                 IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
+                IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
                 return 1;
         }