--- zzzz-none-000/linux-2.6.32.60/net/ipv6/netfilter/nf_conntrack_reasm.c	2012-10-07 21:41:24.000000000 +0000
+++ ur8-7270-606/linux-2.6.32.60/net/ipv6/netfilter/nf_conntrack_reasm.c	2013-02-12 11:29:49.000000000 +0000
@@ -474,7 +474,7 @@
 
 	/* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */
 	fp = skb_shinfo(head)->frag_list;
-	if (fp && NFCT_FRAG6_CB(fp)->orig == NULL)
+	if (NFCT_FRAG6_CB(fp)->orig == NULL)
 		/* at above code, head skb is divided into two skbs. */
 		fp = fp->next;
 
@@ -600,6 +600,18 @@
 	hdr = ipv6_hdr(clone);
 	fhdr = (struct frag_hdr *)skb_transport_header(clone);
 
+	if (!(fhdr->frag_off & htons(0xFFF9))) {
+		pr_debug("Invalid fragment offset\n");
+		/* It is not a fragmented frame */
+		goto ret_orig;
+	}
+
+	if (!(fhdr->frag_off & htons(0xFFF9))) {
+		pr_debug("Invalid fragment offset\n");
+		/* It is not a fragmented frame */
+		goto ret_orig;
+	}
+
 	if (atomic_read(&nf_init_frags.mem) > nf_init_frags.high_thresh)
 		nf_ct_frag6_evictor();