From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 7 Oct 2014 17:02:11 +0000 (+0200)
Subject: netfilter: fix wrong arithmetics regarding NFT_REJECT_ICMPX_MAX
X-Git-Tag: fixes-against-v3.18-rc2~115^2~9^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0d1f04f0a2f662b6b617e24d115fddcf6ef8723;p=pandora-kernel.git

netfilter: fix wrong arithmetics regarding NFT_REJECT_ICMPX_MAX

NFT_REJECT_ICMPX_MAX should be __NFT_REJECT_ICMPX_MAX - 1.

nft_reject_icmp_code() and nft_reject_icmpv6_code() are called from the
packet path, so BUG_ON in case we try to access an unknown abstracted
ICMP code. This should not happen since we already validate this from
nft_reject_{inet,bridge}_init().

Fixes: 51b0a5d ("netfilter: nft_reject: introduce icmp code abstraction for inet and bridge")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed