[PATCH libnetfilter_conntrack 2/2] conntrack: fix BPF for filtering IPv6 addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Each address in the filter is matched one 32-bit word at a time.  If any of the
first three words don't match, we jump to the end of the filter.  If the last
word does match, we jump to the end of the filter.  However, this is not right:
it means that if any of the first three words of an address don't match, all
subsequent addresses will be skipped.  Instead, jump to the next address.

Fix formatting of `nfct_bsf_cmp_k_stack`.

Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062
Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering")
Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>
---
 src/conntrack/bsf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 35cc8b7690c0..48fd4fafbc3e 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -163,7 +163,7 @@ struct jump {
 
 static int
 nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, 
-	       int jump_true, int pos, struct stack *s)
+		     int jump_true, int pos, struct stack *s)
 {
 	struct sock_filter __code = {
 		.code	= BPF_JMP|BPF_JEQ|BPF_K,
@@ -640,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 					      j);
 			if (k < 3) {
 				j += nfct_bsf_cmp_k_stack_jf(this, ip,
-						jf - j - 1,
-						j, s);
+							     (3 - k) * 3 + 1,
+							     j, s);
 			} else {
 				/* last word: jump if true */
 				j += nfct_bsf_cmp_k_stack(this, ip, jf - j,
@@ -655,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 			this[jmp.line].jt += jmp.jt + j;
 		}
 		if (jmp.jf) {
-			this[jmp.line].jf += jmp.jf + j;
+			this[jmp.line].jf += jmp.jf;
 		}
 	}
 
-- 
2.40.1




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux