summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org>2006-01-12 09:43:18 +0000
committer/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org>2006-01-12 09:43:18 +0000
commit003e935b55c6f15f09648e93b33be0c2fa24f18c (patch)
tree0bd2c1c0b22c262f8d4d78be0309fe8c770e3158
parentb44442c5e5cccc15b7c0cd34308ed962870f9747 (diff)
Move empty policy element check to also catch last element
-rw-r--r--extensions/libip6t_policy.c11
-rw-r--r--extensions/libipt_policy.c11
2 files changed, 12 insertions, 10 deletions
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 189ca6e..7498e98 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -283,11 +283,6 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
- if (!(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --next without policy element specification");
-
if (++info->len == IP6T_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
@@ -331,6 +326,12 @@ static void final_check(unsigned int flags)
for (i = 0; i < info->len; i++) {
e = &info->pol[i];
+
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: empty policy element");
+
if ((e->match.saddr || e->match.daddr)
&& ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
(e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index df4916d..593bb11 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -243,11 +243,6 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
- if (!(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --next without policy element specification");
-
if (++info->len == IPT_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
@@ -291,6 +286,12 @@ static void final_check(unsigned int flags)
for (i = 0; i < info->len; i++) {
e = &info->pol[i];
+
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: empty policy element");
+
if ((e->match.saddr || e->match.daddr)
&& ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
(e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))