summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6a506..c2a909893a6 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
return 0;
}
+ if (mh->ip6mh_proto != IPPROTO_NONE) {
+ duprintf("Dropping invalid MH Payload Proto: %u\n",
+ mh->ip6mh_proto);
+ *hotdrop = 1;
+ return 0;
+ }
+
return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
}