1 files changed, 13 insertions, 7 deletions

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 1d184322a7b1..f9f02581c4ca 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -78,15 +78,15 @@ EXPORT_SYMBOL(ipv6_select_ident);
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
-        u16 offset = sizeof(struct ipv6hdr);
-        struct ipv6_opt_hdr *exthdr =
-                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
+        unsigned int offset = sizeof(struct ipv6hdr);
         unsigned int packet_len = skb_tail_pointer(skb) -
                 skb_network_header(skb);
         int found_rhdr = 0;
         *nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-        while (offset + 1 <= packet_len) {
+        while (offset <= packet_len) {
+                struct ipv6_opt_hdr *exthdr;
+                unsigned int len;
 
                 switch (**nexthdr) {
 
@@ -107,13 +107,19 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
                         return offset;
                 }
 
-                offset += ipv6_optlen(exthdr);
-                *nexthdr = &exthdr->nexthdr;
+                if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+                        return -EINVAL;
+
                 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
                                                  offset);
+                len = ipv6_optlen(exthdr);
+                if (len + offset >= IPV6_MAXPLEN)
+                        return -EINVAL;
+                offset += len;
+                *nexthdr = &exthdr->nexthdr;
         }
 
-        return offset;
+        return -EINVAL;
 }
 EXPORT_SYMBOL(ip6_find_1stfragopt);