From 32950f55b940ccd68fed0a8478f93999756607c0 Mon Sep 17 00:00:00 2001
From: Masahide NAKAMURA <nakam@linux-ipv6.org>
Date: Mon, 12 Feb 2007 11:16:17 -0800
Subject: [PATCH] [NETFILTER]: ip6t_mh: drop piggyback payload packet on MH
 packets

Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).

We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv6/netfilter/ip6t_mh.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6a506da..c2a909893a64c 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
+	if (mh->ip6mh_proto != IPPROTO_NONE) {
+		duprintf("Dropping invalid MH Payload Proto: %u\n",
+			 mh->ip6mh_proto);
+		*hotdrop = 1;
+		return 0;
+	}
+
 	return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
 			  !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }
-- 
2.39.5