Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b98b4947 authored by Christoph Paasch's avatar Christoph Paasch Committed by Patrick McHardy
Browse files

netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE 



As packets ending with NEXTHDR_NONE don't have a last extension header,
the check for the length needs to be after the check for NEXTHDR_NONE.

Signed-off-by: default avatarChristoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent a7ca7fcc

net/ipv6/netfilter/ip6t_ipv6header.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 
		struct ipv6_opt_hdr _hdr;

		struct ipv6_opt_hdr _hdr;

		int hdrlen;

		int hdrlen;





		/* Is there enough space for the next ext header? */

		if (len < (int)sizeof(struct ipv6_opt_hdr))

			return false;

		/* No more exthdr -> evaluate */

		/* No more exthdr -> evaluate */

		if (nexthdr == NEXTHDR_NONE) {

		if (nexthdr == NEXTHDR_NONE) {

			temp |= MASK_NONE;

			temp |= MASK_NONE;

			break;

			break;

		}

		}

		/* Is there enough space for the next ext header? */

		if (len < (int)sizeof(struct ipv6_opt_hdr))

			return false;

		/* ESP -> evaluate */

		/* ESP -> evaluate */

		if (nexthdr == NEXTHDR_ESP) {

		if (nexthdr == NEXTHDR_ESP) {

			temp |= MASK_ESP;

			temp |= MASK_ESP;