Validate that filtering by layer 4 protocol number and protocol state
fits into the existing maps that is used internally.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/conntrack/filter.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 4cbc116454cf..57b22945fc3b 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -11,18 +11,31 @@
static void filter_attr_l4proto(struct nfct_filter *filter, const void *value)
{
+ int protonum;
+
if (filter->l4proto_len >= __FILTER_L4PROTO_MAX)
return;
- set_bit(*((int *) value), filter->l4proto_map);
+ protonum = *(int *)value;
+ if (protonum >= IPPROTO_MAX)
+ return;
+
+ set_bit(protonum, filter->l4proto_map);
filter->l4proto_len++;
}
-static void
+#ifndef BITS_PER_BYTE
+#define BITS_PER_BYTE 8
+#endif
+
+static void
filter_attr_l4proto_state(struct nfct_filter *filter, const void *value)
{
const struct nfct_filter_proto *this = value;
+ if (this->state >= sizeof(filter->l4proto_state[0].map) * BITS_PER_BYTE)
+ return;
+
set_bit_u16(this->state, &filter->l4proto_state[this->proto].map);
filter->l4proto_state[this->proto].len++;
}
--
2.30.2
