lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[NETFILTER]: Fix ip6t_policy address matching

Browse Source 
Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
  the address comparison

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy
2006-02-04 02:17:55 -08:00
committed by David S. Miller
parent e55f1bc5dc
commit 878c41ce57
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
net/ipv6/netfilter/ip6t_policy.c
View File

@@ -27,7 +27,8 @@ static inline int
match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e) match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
{ {
#define MATCH_ADDR(x,y,z) (!e->match.x || \ #define MATCH_ADDR(x,y,z) (!e->match.x || \
((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x) ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x)) #define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) && return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&