netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
As packets ending with NEXTHDR_NONE don't have a last extension header, the check for the length needs to be after the check for NEXTHDR_NONE. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
a7ca7fccac
commit
b98b4947cb
@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
struct ipv6_opt_hdr _hdr;
|
||||
int hdrlen;
|
||||
|
||||
/* Is there enough space for the next ext header? */
|
||||
if (len < (int)sizeof(struct ipv6_opt_hdr))
|
||||
return false;
|
||||
/* No more exthdr -> evaluate */
|
||||
if (nexthdr == NEXTHDR_NONE) {
|
||||
temp |= MASK_NONE;
|
||||
break;
|
||||
}
|
||||
/* Is there enough space for the next ext header? */
|
||||
if (len < (int)sizeof(struct ipv6_opt_hdr))
|
||||
return false;
|
||||
/* ESP -> evaluate */
|
||||
if (nexthdr == NEXTHDR_ESP) {
|
||||
temp |= MASK_ESP;
|
||||
|
Loading…
Reference in New Issue
Block a user