netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
Christoph Paasch [Tue, 5 May 2009 13:32:16 +0000 (15:32 +0200)]
As packets ending with NEXTHDR_NONE don't have a last extension header,
the check for the length needs to be after the check for NEXTHDR_NONE.

Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

net/ipv6/netfilter/ip6t_ipv6header.c

index 14e6724..91490ad 100644 (file)
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
                struct ipv6_opt_hdr _hdr;
                int hdrlen;
 
-               /* Is there enough space for the next ext header? */
-               if (len < (int)sizeof(struct ipv6_opt_hdr))
-                       return false;
                /* No more exthdr -> evaluate */
                if (nexthdr == NEXTHDR_NONE) {
                        temp |= MASK_NONE;
                        break;
                }
+               /* Is there enough space for the next ext header? */
+               if (len < (int)sizeof(struct ipv6_opt_hdr))
+                       return false;
                /* ESP -> evaluate */
                if (nexthdr == NEXTHDR_ESP) {
                        temp |= MASK_ESP;