[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets

Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).

We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6a506daebf13cb9740c11a3b3b447f05e5..c2a909893a64cbd790e9d650fbf8d7f4ae722ef2 100644 (file)
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
                return 0;
        }
 
+       if (mh->ip6mh_proto != IPPROTO_NONE) {
+               duprintf("Dropping invalid MH Payload Proto: %u\n",
+                        mh->ip6mh_proto);
+               *hotdrop = 1;
+               return 0;
+       }
+
        return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
                          !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }