From 151296423e475cd9008b56f893b1dd07912bf81a Mon Sep 17 00:00:00 2001
From: Duncan Roe <duncan_roe@optusnet.com.au>
Date: Sun, 8 Oct 2023 13:41:31 +1100
Subject: src: Fix IPv6 Fragment Header processing

2 items:
 1. frag_off (Fragment Offset pointer) overshot by 2 bytes because of adding
    offsetof() to it *after* it had been cast to uint16_t *.
 2. Need to mask off LS 3 bits of ip6f_offlg *after* call to htons.

Fixes: a0c885ae5a79 ("add pkt_buff and protocol helper functions")
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/extra/ipv6.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/extra/ipv6.c b/src/extra/ipv6.c
index 69d86a8..fd8ebc4 100644
--- a/src/extra/ipv6.c
+++ b/src/extra/ipv6.c
@@ -113,11 +113,11 @@ int nfq_ip6_set_transport_header(struct pkt_buff *pktb, struct ip6_hdr *ip6h,
 				break;
 			}
 
-			frag_off = (uint16_t *)cur +
-					offsetof(struct ip6_frag, ip6f_offlg);
+			frag_off = (uint16_t *)(cur +
+					offsetof(struct ip6_frag, ip6f_offlg));
 
 			/* Fragment offset is only 13 bits long. */
-			if (htons(*frag_off & ~0x7)) {
+			if (htons(*frag_off) & ~0x7) {
 				/* Not the first fragment, it does not contain
 				 * any headers.
 				 */
-- 
cgit v1.2.3