[NETFILTER 11/14]: Check policy length in policy match strict mode

[Patrick McHardy]

[NETFILTER]: Check policy length in policy match strict mode

Signed-off-by: Patrick McHardy <kaber at trash.net>

---
commit 0140ae42a6acc87e5c63ac8367473670dcffba8e
tree 0145dfe52711bf0e7d503b3d2a2d2ac603d82ad9
parent 9da97b95715756a28bfc1a931f033db6206d7dfd
author Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 12:46:53 +0100
committer Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 12:46:53 +0100

 net/ipv4/netfilter/ipt_policy.c  |    2 +-
 net/ipv6/netfilter/ip6t_policy.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 18ca825..a48949a 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -89,7 +89,7 @@ match_policy_out(const struct sk_buff *s
 			return 0;
 	}
 
-	return strict ? 1 : 0;
+	return strict ? i == info->len : 0;
 }
 
 static int match(const struct sk_buff *skb,
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index afe1cc4..9f38cd0 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -91,7 +91,7 @@ match_policy_out(const struct sk_buff *s
 			return 0;
 	}
 
-	return strict ? 1 : 0;
+	return strict ? i == info->len : 0;
 }
 
 static int match(const struct sk_buff *skb,