The mask and xor must use the same number of data registers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> --- src/expr/bitwise.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c index fa2fc5a..6932086 100644 --- a/src/expr/bitwise.c +++ b/src/expr/bitwise.c @@ -298,6 +298,16 @@ nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, char *xml) bitwise->xor.len = data_regtmp.len; e->flags |= (1 << NFT_EXPR_BITWISE_XOR); + /* Additional validation: mask and xor must use the same number of + * data registers. + */ + + if (bitwise->mask.len != bitwise->xor.len) { + mxmlDelete(tree); + return -1; + } + + mxmlDelete(tree); return 0; #else -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html