[PATCH] netfilter: fix: support ipv6header match on packets ending with NEXTHDR_NONE

[PATCH] netfilter: fix: support ipv6header match on packets ending with NEXTHDR_NONE

[Christoph Paasch]

As packets ending with NEXTHDR_NONE don't have a last extension header,
the check for the length needs to be after the check for NEXTHDR_NONE.

Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
---
 net/ipv6/netfilter/ip6t_ipv6header.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 14e6724..91490ad 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		struct ipv6_opt_hdr _hdr;
 		int hdrlen;
 
-		/* Is there enough space for the next ext header? */
-		if (len < (int)sizeof(struct ipv6_opt_hdr))
-			return false;
 		/* No more exthdr -> evaluate */
 		if (nexthdr == NEXTHDR_NONE) {
 			temp |= MASK_NONE;
 			break;
 		}
+		/* Is there enough space for the next ext header? */
+		if (len < (int)sizeof(struct ipv6_opt_hdr))
+			return false;
 		/* ESP -> evaluate */
 		if (nexthdr == NEXTHDR_ESP) {
 			temp |= MASK_ESP;
-- 
1.6.0.4

Re: [PATCH] netfilter: fix: support ipv6header match on packets ending with NEXTHDR_NONE

[Patrick McHardy]

Christoph Paasch wrote:
> As packets ending with NEXTHDR_NONE don't have a last extension header,
> the check for the length needs to be after the check for NEXTHDR_NONE.

Applied, thanks Christoph.