diff options
author | Christoph Paasch <christoph.paasch@gmail.com> | 2009-05-05 15:32:16 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-05-05 15:32:16 +0200 |
commit | b98b4947cb79d670fceca0e951c092eea93e9baa (patch) | |
tree | 4daddb336ddbab1e7ac7a6b10e68add36ab908ac /net | |
parent | netfilter: add missing linux/types.h include to xt_LED.h (diff) | |
download | linux-b98b4947cb79d670fceca0e951c092eea93e9baa.tar.xz linux-b98b4947cb79d670fceca0e951c092eea93e9baa.zip |
netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
As packets ending with NEXTHDR_NONE don't have a last extension header,
the check for the length needs to be after the check for NEXTHDR_NONE.
Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv6/netfilter/ip6t_ipv6header.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 14e6724d5672..91490ad9302c 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c @@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) struct ipv6_opt_hdr _hdr; int hdrlen; - /* Is there enough space for the next ext header? */ - if (len < (int)sizeof(struct ipv6_opt_hdr)) - return false; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { temp |= MASK_NONE; break; } + /* Is there enough space for the next ext header? */ + if (len < (int)sizeof(struct ipv6_opt_hdr)) + return false; /* ESP -> evaluate */ if (nexthdr == NEXTHDR_ESP) { temp |= MASK_ESP; |