Move empty policy element check to also catch last element

author Patrick McHardy <kaber@trash.net>

Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)

committer Patrick McHardy <kaber@trash.net>

Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)
author Patrick McHardy <kaber@trash.net>
Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)
committer Patrick McHardy <kaber@trash.net>
Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c

index 189ca6e1d62a2df93504b0ae7918c519abb0cf59..7498e989d81dbc622a086d29148ac8daaba0b9e0 100644 (file)
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -283,11 +283,6 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: can't invert --next option");
  
-                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
-                      e->match.daddr || e->match.proto || e->match.mode))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "policy match: --next without policy element specification");
-
                 if (++info->len == IP6T_POLICY_MAX_ELEM)
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: maximum policy depth reached");
@@ -331,6 +326,12 @@ static void final_check(unsigned int flags)
  
         for (i = 0; i < info->len; i++) {
                 e = &info->pol[i];
+
+                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                      e->match.daddr || e->match.proto || e->match.mode))
+                        exit_error(PARAMETER_PROBLEM,
+                                   "policy match: empty policy element");
+
                 if ((e->match.saddr || e->match.daddr)
                     && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
                         (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c

index df4916d63fc7a373f203f13d5997a033f57e2edc..593bb11f4a346f506a6c39ae1a39026ac4bfe33b 100644 (file)
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -243,11 +243,6 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: can't invert --next option");
  
-               if (!(e->match.reqid || e->match.spi || e->match.saddr ||
-                     e->match.daddr || e->match.proto || e->match.mode))
-                       exit_error(PARAMETER_PROBLEM,
-                                  "policy match: --next without policy element specification");
-
                 if (++info->len == IPT_POLICY_MAX_ELEM)
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: maximum policy depth reached");
@@ -291,6 +286,12 @@ static void final_check(unsigned int flags)
  
         for (i = 0; i < info->len; i++) {
                 e = &info->pol[i];
+
+               if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                     e->match.daddr || e->match.proto || e->match.mode))
+                       exit_error(PARAMETER_PROBLEM,
+                                  "policy match: empty policy element");
+
                 if ((e->match.saddr || e->match.daddr)
                     && ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
                         (e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
author	Patrick McHardy <kaber@trash.net>
	Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)
committer	Patrick McHardy <kaber@trash.net>
	Thu, 12 Jan 2006 09:43:18 +0000 (09:43 +0000)
extensions/libip6t_policy.c		patch \| blob \| blame \| history
extensions/libipt_policy.c		patch \| blob \| blame \| history