diff options
| author | Florian Westphal <fw@strlen.de> | 2026-06-18 10:49:24 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-21 00:18:27 +0200 |
| commit | af8d6ae09c0a5f8b8a0d5680203c74b3c1daa85b (patch) | |
| tree | f547a52e8f54dff75208d2bbe3024c7711b5d5af /net | |
| parent | e409c23c2d0630f3b95efd12428b2e58800b7645 (diff) | |
| download | ath-af8d6ae09c0a5f8b8a0d5680203c74b3c1daa85b.tar.gz | |
netfilter: nf_reject: skip iphdr options when looking for icmp header
Not a big deal but this hould have used the real ip header length and not the
base header size. As-is, if there are options then
nf_skb_is_icmp_unreach() result will be random.
Fixes: db99b2f2b3e2 ("netfilter: nf_reject: don't reply to icmp error messages")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/nf_reject_ipv4.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c index fecf6621f679f..4626dc46808f3 100644 --- a/net/ipv4/netfilter/nf_reject_ipv4.c +++ b/net/ipv4/netfilter/nf_reject_ipv4.c @@ -89,7 +89,7 @@ static bool nf_skb_is_icmp_unreach(const struct sk_buff *skb) if (iph->protocol != IPPROTO_ICMP) return false; - thoff = skb_network_offset(skb) + sizeof(*iph); + thoff = skb_network_offset(skb) + ip_hdrlen(skb); tp = skb_header_pointer(skb, thoff + offsetof(struct icmphdr, type), |
