From: Christoph Paasch <christoph.paasch@gmail.com>
Date: Tue, 5 May 2009 13:32:16 +0000 (+0200)
Subject: netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
X-Git-Tag: v2.6.30-rc6~48^2~11^2~2
X-Git-Url: https://openfabrics.org/gitweb/?a=commitdiff_plain;h=b98b4947cb79d670fceca0e951c092eea93e9baa;p=~emulex%2Finfiniband.git

netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

As packets ending with NEXTHDR_NONE don't have a last extension header,
the check for the length needs to be after the check for NEXTHDR_NONE.

Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---

diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 14e6724d567..91490ad9302 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		struct ipv6_opt_hdr _hdr;
 		int hdrlen;
 
-		/* Is there enough space for the next ext header? */
-		if (len < (int)sizeof(struct ipv6_opt_hdr))
-			return false;
 		/* No more exthdr -> evaluate */
 		if (nexthdr == NEXTHDR_NONE) {
 			temp |= MASK_NONE;
 			break;
 		}
+		/* Is there enough space for the next ext header? */
+		if (len < (int)sizeof(struct ipv6_opt_hdr))
+			return false;
 		/* ESP -> evaluate */
 		if (nexthdr == NEXTHDR_ESP) {
 			temp |= MASK_ESP;