On Thu, Jun 23, 2022 at 07:49:58PM +0200, Mikhail Sennikovsky wrote:
> Before this commit it was possible to successfully create a ct entry
> passing -p 256 and -p some_nonsense.
> In both cases an entry with the protocol=0 would be created.
>
> Do not allow invalid protocol values to -p option.
>
> Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@xxxxxxxxx>
> ---
> src/conntrack.c | 22 ++++++++++++++++++++--
> 1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/src/conntrack.c b/src/conntrack.c
> index 500e736..dca7da6 100644
> --- a/src/conntrack.c
> +++ b/src/conntrack.c
> @@ -882,6 +882,24 @@ static int ct_save_snprintf(char *buf, size_t len,
>
> extern struct ctproto_handler ct_proto_unknown;
>
> +static int parse_proto_num(const char *str)
> +{
> + char *endptr;
> + long val;
> +
> + errno = 0;
> + val = strtol(str, &endptr, 0);
> + if ((errno == ERANGE && (val == LONG_MAX || val == LONG_MIN)) ||
> + (errno != 0 && val == 0) ||
> + endptr == str ||
> + *endptr != '\0' ||
> + val >= IPPROTO_MAX) {
There might be a more simple way to do error reporting for strtoul?
> + return -1;
> + }
> +
> + return val;
> +}
> +
> static struct ctproto_handler *findproto(char *name, int *pnum)
> {
> struct ctproto_handler *cur;
> @@ -901,8 +919,8 @@ static struct ctproto_handler *findproto(char *name, int *pnum)
> return &ct_proto_unknown;
> }
> /* using a protocol number? */
> - protonum = atoi(name);
> - if (protonum >= 0 && protonum <= IPPROTO_MAX) {
> + protonum = parse_proto_num(name);
> + if (protonum >= 0) {
> /* try lookup by number, perhaps this protocol is supported */
> list_for_each_entry(cur, &proto_list, head) {
> if (cur->protonum == protonum) {
> --
> 2.25.1
>
