Merge branch 'master' of git://1984.lsi.us.es/net

4 files changed, 13 insertions, 19 deletions

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index de9da21113a1..cf73cc70ed2d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -74,16 +74,24 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
 
         iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
         if (iph == NULL)
-                return -NF_DROP;
+                return -NF_ACCEPT;
 
         /* Conntrack defragments packets, we might still see fragments
          * inside ICMP packets though. */
         if (iph->frag_off & htons(IP_OFFSET))
-                return -NF_DROP;
+                return -NF_ACCEPT;
 
         *dataoff = nhoff + (iph->ihl << 2);
         *protonum = iph->protocol;
 
+        /* Check bogus IP headers */
+        if (*dataoff > skb->len) {
+                pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
+                         "nhoff %u, ihl %u, skblen %u\n",
+                         nhoff, iph->ihl << 2, skb->len);
+                return -NF_ACCEPT;
+        }
+
         return NF_ACCEPT;
 }
 
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 94874b0bdcdc..9d4e15559319 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -78,19 +78,6 @@ EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
 
    Hence the start of any table is given by get_table() below.  */
 
-/* Check for an extension */
-int
-ip6t_ext_hdr(u8 nexthdr)
-{
-        return  (nexthdr == IPPROTO_HOPOPTS)   ||
-                (nexthdr == IPPROTO_ROUTING)   ||
-                (nexthdr == IPPROTO_FRAGMENT)  ||
-                (nexthdr == IPPROTO_ESP)       ||
-                (nexthdr == IPPROTO_AH)        ||
-                (nexthdr == IPPROTO_NONE)      ||
-                (nexthdr == IPPROTO_DSTOPTS);
-}
-
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -2366,7 +2353,6 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
 EXPORT_SYMBOL(ip6t_register_table);
 EXPORT_SYMBOL(ip6t_unregister_table);
 EXPORT_SYMBOL(ip6t_do_table);
-EXPORT_SYMBOL(ip6t_ext_hdr);
 EXPORT_SYMBOL(ipv6_find_hdr);
 
 module_init(ip6_tables_init);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 3cc4487ac349..729f157a0efa 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1592,7 +1592,7 @@ static int nf_conntrack_init_net(struct net *net)
         return 0;
 
 err_timeout:
-        nf_conntrack_timeout_fini(net);
+        nf_conntrack_ecache_fini(net);
 err_ecache:
         nf_conntrack_tstamp_fini(net);
 err_tstamp:
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 361eade62a09..0d07a1dcf605 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -584,8 +584,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
                          * Let's try to use the data from the packet.
                          */
                         sender->td_end = end;
-                        win <<= sender->td_scale;
-                        sender->td_maxwin = (win == 0 ? 1 : win);
+                        swin = win << sender->td_scale;
+                        sender->td_maxwin = (swin == 0 ? 1 : swin);
                         sender->td_maxend = end + sender->td_maxwin;
                         /*
                          * We haven't seen traffic in the other direction yet