netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

NEXTHDR_NONE doesn't has an IPv6 option header, so the first check
for the length will always fail and results in a confusing message
"too short" if debugging enabled. With this patch, we check for
NEXTHDR_NONE before length sanity checkings are done.

Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index ed4d79a..058a5e4 100644 (file)
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -528,14 +528,14 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
                if (!ipv6_ext_hdr(nexthdr)) {
                        return -1;
                }
-               if (len < (int)sizeof(struct ipv6_opt_hdr)) {
-                       pr_debug("too short\n");
-                       return -1;
-               }
                if (nexthdr == NEXTHDR_NONE) {
                        pr_debug("next header is none\n");
                        return -1;
                }
+               if (len < (int)sizeof(struct ipv6_opt_hdr)) {
+                       pr_debug("too short\n");
+                       return -1;
+               }
                if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
                        BUG();
                if (nexthdr == NEXTHDR_AUTH)