netfilter: nf_reject: skip iphdr options when looking for icmp header

Not a big deal but this hould have used the real ip header length and not the
base header size.  As-is, if there are options then
nf_skb_is_icmp_unreach() result will be random.

Fixes: db99b2f2b3e2 ("netfilter: nf_reject: don't reply to icmp error messages")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fecf6621f679f9d435803a7bd522b38bf3de7ef4..4626dc46808f3ac456d390e9323bdea2d3d3dac3 100644 (file)
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -89,7 +89,7 @@ static bool nf_skb_is_icmp_unreach(const struct sk_buff *skb)
        if (iph->protocol != IPPROTO_ICMP)
                return false;
 
-       thoff = skb_network_offset(skb) + sizeof(*iph);
+       thoff = skb_network_offset(skb) + ip_hdrlen(skb);
 
        tp = skb_header_pointer(skb,
                                thoff + offsetof(struct icmphdr, type),