summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-02-04 11:17:55 +0100
committerDavid S. Miller <davem@sunset.davemloft.net>2006-02-05 08:51:27 +0100
commit878c41ce5747e1b417bdd92a694c33dc4bd6ec02 (patch)
treefac206db8511afd50f8486dd8de8a4a3a7528c74
parent[NETFILTER]: Check policy length in policy match strict mode (diff)
downloadlinux-878c41ce5747e1b417bdd92a694c33dc4bd6ec02.tar.xz
linux-878c41ce5747e1b417bdd92a694c33dc4bd6ec02.zip
[NETFILTER]: Fix ip6t_policy address matching
Fix two bugs in ip6t_policy address matching: - misorder arguments to ip6_masked_addrcmp, mask must be the second argument - inversion incorrectly applied to the entire expression instead of just the address comparison Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/netfilter/ip6t_policy.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 9f38cd0a6489..1d0f48276123 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -26,8 +26,9 @@ MODULE_LICENSE("GPL");
static inline int
match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
{
-#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
+#define MATCH_ADDR(x,y,z) (!e->match.x || \
+ ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
+ ^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&