aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
authorFlorian Westphal <fw@strlen.de>2026-06-18 10:49:24 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2026-06-21 00:18:27 +0200
commitaf8d6ae09c0a5f8b8a0d5680203c74b3c1daa85b (patch)
treef547a52e8f54dff75208d2bbe3024c7711b5d5af /net
parente409c23c2d0630f3b95efd12428b2e58800b7645 (diff)
downloadath-af8d6ae09c0a5f8b8a0d5680203c74b3c1daa85b.tar.gz
netfilter: nf_reject: skip iphdr options when looking for icmp header
Not a big deal but this hould have used the real ip header length and not the base header size. As-is, if there are options then nf_skb_is_icmp_unreach() result will be random. Fixes: db99b2f2b3e2 ("netfilter: nf_reject: don't reply to icmp error messages") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/nf_reject_ipv4.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fecf6621f679f..4626dc46808f3 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -89,7 +89,7 @@ static bool nf_skb_is_icmp_unreach(const struct sk_buff *skb)
if (iph->protocol != IPPROTO_ICMP)
return false;
- thoff = skb_network_offset(skb) + sizeof(*iph);
+ thoff = skb_network_offset(skb) + ip_hdrlen(skb);
tp = skb_header_pointer(skb,
thoff + offsetof(struct icmphdr, type),