From: Jiri Pirko <jpirko@redhat.com>
Date: Wed, 19 Aug 2009 16:37:14 +0200
Subject: [net] ipv6: do not fwd pkts with the unspecified saddr
Message-id: 20090819143713.GG3870@psychotron.englab.brq.redhat.com
O-Subject: [RHEL5.5 patch] BZ517899 net: ipv6: Do not forward packets with the unspecified source address.
Bugzilla: 517899
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: David Miller <davem@redhat.com>
RH-Acked-by: Stefan Assmann <sassmann@redhat.com>

BZ517899
https://bugzilla.redhat.com/show_bug.cgi?id=517899

Description:
RFC3513:2.5.2
The Unspecified Address
An IPv6 packet with a source address of unspecified must never be forwarded
by an IPv6 router.

According to RFC, An IPv6 packet with a source address of unspecified must
never be forwarded by an IPv6 router. The problem is that RHEL does forward
the packet which source address is ipv6 unspecified address. This patch
corrects this.

Upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f81b2e7d8cf8c6a52b7a5224c3b89cee5aeb6811

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=1932247

Test:
Booted on x86_64, tested by the reproducer.

Jirka

Signed-off-by: Jiri Pirko <jpirko@redhat.com>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 27e39ec..56b1c1a 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -413,7 +413,8 @@ int ip6_forward(struct sk_buff *skb)
 		int addrtype = ipv6_addr_type(&hdr->saddr);
 
 		/* This check is security critical. */
-		if (addrtype & (IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK))
+		if (addrtype == IPV6_ADDR_ANY ||
+		    addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
 			goto error;
 		if (addrtype & IPV6_ADDR_LINKLOCAL) {
 			icmpv6_send(skb, ICMPV6_DEST_UNREACH,