conntrack: fix BPF for filtering IPv6 addresses

Each address in the filter is matched one 32-bit word at a time.  If any of the
first three words don't match, we jump to the end of the filter.  If the last
word does match, we jump to the end of the filter.  However, this is not right:
it means that if any of the first three words of an address don't match, all
subsequent addresses will be skipped.  Instead, jump to the next address.

Fix formatting of `nfct_bsf_cmp_k_stack`.

Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062
Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 4 insertions, 4 deletions

diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 35cc8b7..48fd4fa 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -163,7 +163,7 @@ struct jump {
 
 static int
 nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, 
-	       int jump_true, int pos, struct stack *s)
+		     int jump_true, int pos, struct stack *s)
 {
 	struct sock_filter __code = {
 		.code	= BPF_JMP|BPF_JEQ|BPF_K,
@@ -640,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 					      j);
 			if (k < 3) {
 				j += nfct_bsf_cmp_k_stack_jf(this, ip,
-						jf - j - 1,
-						j, s);
+							     (3 - k) * 3 + 1,
+							     j, s);
 			} else {
 				/* last word: jump if true */
 				j += nfct_bsf_cmp_k_stack(this, ip, jf - j,
@@ -655,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 			this[jmp.line].jt += jmp.jt + j;
 		}
 		if (jmp.jf) {
-			this[jmp.line].jf += jmp.jf + j;
+			this[jmp.line].jf += jmp.jf;
 		}
 	}