netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking
NEXTHDR_NONE doesn't has an IPv6 option header, so the first check for the length will always fail and results in a confusing message "too short" if debugging enabled. With this patch, we check for NEXTHDR_NONE before length sanity checkings are done. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
ec8d540969
commit
d1238d5337
|
@ -528,14 +528,14 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
|
|||
if (!ipv6_ext_hdr(nexthdr)) {
|
||||
return -1;
|
||||
}
|
||||
if (len < (int)sizeof(struct ipv6_opt_hdr)) {
|
||||
pr_debug("too short\n");
|
||||
return -1;
|
||||
}
|
||||
if (nexthdr == NEXTHDR_NONE) {
|
||||
pr_debug("next header is none\n");
|
||||
return -1;
|
||||
}
|
||||
if (len < (int)sizeof(struct ipv6_opt_hdr)) {
|
||||
pr_debug("too short\n");
|
||||
return -1;
|
||||
}
|
||||
if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
|
||||
BUG();
|
||||
if (nexthdr == NEXTHDR_AUTH)
|
||||
|
|
Loading…
Reference in New Issue