releases/2.6.14.7/fix-bridge-netfilter-matching-ip-fragments.patch

From stable-bounces@linux.kernel.org  Tue Jan 10 13:19:27 2006
Date: Tue, 10 Jan 2006 13:13:45 -0800 (PST)
Message-Id: <20060110.131345.37717560.davem@davemloft.net>
To: stable@kernel.org
From: "David S. Miller" <davem@davemloft.net>
Subject: [EBTABLES] Don't match tcp/udp source/destination port for IP fragments

From: Bart De Schuymer <bdschuym@pandora.be>

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 net/bridge/netfilter/ebt_ip.c |    3 +++
 1 file changed, 3 insertions(+)

--- linux-2.6.14.6.orig/net/bridge/netfilter/ebt_ip.c
+++ linux-2.6.14.6/net/bridge/netfilter/ebt_ip.c
@@ -15,6 +15,7 @@
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_ip.h>
 #include <linux/ip.h>
+#include <net/ip.h>
 #include <linux/in.h>
 #include <linux/module.h>
 
@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk
 		if (!(info->bitmask & EBT_IP_DPORT) &&
 		    !(info->bitmask & EBT_IP_SPORT))
 			return EBT_MATCH;
+		if (ntohs(ih->frag_off) & IP_OFFSET)
+			return EBT_NOMATCH;
 		pptr = skb_header_pointer(skb, ih->ihl*4,
 					  sizeof(_ports), &_ports);
 		if (pptr == NULL)