]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: Check policy length in policy match strict mode
authorPatrick McHardy <kaber@trash.net>
Sat, 4 Feb 2006 10:17:26 +0000 (02:17 -0800)
committerDavid S. Miller <davem@sunset.davemloft.net>
Sun, 5 Feb 2006 07:51:26 +0000 (23:51 -0800)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/ipt_policy.c
net/ipv6/netfilter/ip6t_policy.c

index 18ca8258a1c597c170fd718f5c8556a1eaefb382..a48949a3a7506db42d32d7548fcdad0dda0dd092 100644 (file)
@@ -89,7 +89,7 @@ match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info)
                        return 0;
        }
 
-       return strict ? 1 : 0;
+       return strict ? i == info->len : 0;
 }
 
 static int match(const struct sk_buff *skb,
index afe1cc4c18a5bffc734d6011b1dfddd395007158..9f38cd0a6489486420188d80d253aee9153a3d94 100644 (file)
@@ -91,7 +91,7 @@ match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info)
                        return 0;
        }
 
-       return strict ? 1 : 0;
+       return strict ? i == info->len : 0;
 }
 
 static int match(const struct sk_buff *skb,