[PATCH nft] src: Check range bounds before converting to prefix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The lower bound must be the first value of the prefix to be coverted.
For example, range "10.0.0.15-10.0.0.240" can not be converted to
"10.0.0.15/24". Validate it by checking if the lower bound value has
enough trailing zeros.

Signed-off-by: Xiao Liang <shaw.leon@xxxxxxxxx>
---
 src/netlink.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index cbf9d436..0fd0b664 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1079,12 +1079,15 @@ struct expr *range_expr_to_prefix(struct expr *range)
 
 	if (mpz_bitmask_is_prefix(bitmask, len)) {
 		prefix_len = mpz_bitmask_to_prefix(bitmask, len);
-		prefix = prefix_expr_alloc(&range->location, expr_get(left),
-					   prefix_len);
-		mpz_clear(bitmask);
-		expr_free(range);
-
-		return prefix;
+		if (mpz_scan1(left->value, 0) >= len - prefix_len) {
+			prefix = prefix_expr_alloc(&range->location,
+						   expr_get(left),
+						   prefix_len);
+			mpz_clear(bitmask);
+			expr_free(range);
+
+			return prefix;
+		}
 	}
 	mpz_clear(bitmask);
 
-- 
2.33.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux