From 0d562ef932107e47c7b693973cfe4bb49afb62ec Mon Sep 17 00:00:00 2001
From: Marcel Reichmuth <marcel.reichmuth@netmodule.com>
Date: Thu, 9 Jun 2022 09:32:06 +0200
Subject: [PATCH] FIX: CVE-2022-30790, CVE-2022-30552

BugzId: 80018
BugzId: 80019
---
 include/net.h | 2 ++
 net/net.c     | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/include/net.h b/include/net.h
index 455b48f6c7..d1b7f02355 100644
--- a/include/net.h
+++ b/include/net.h
@@ -379,6 +379,8 @@ struct ip_hdr {
 
 #define IP_HDR_SIZE		(sizeof(struct ip_hdr))
 
+#define IP_MIN_FRAG_DATAGRAM_SIZE	(IP_HDR_SIZE + 8)
+
 /*
  *	Internet Protocol (IP) + UDP header.
  */
diff --git a/net/net.c b/net/net.c
index 4259c9e321..99e3c08898 100644
--- a/net/net.c
+++ b/net/net.c
@@ -862,6 +862,9 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	int offset8, start, len, done = 0;
 	u16 ip_off = ntohs(ip->ip_off);
 
+	if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
+		return NULL;
+
 	/* payload starts after IP header, this fragment is in there */
 	payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
 	offset8 =  (ip_off & IP_OFFS);