[iptables PATCH 03/12] libxtables: Reject negative port ranges

Phil Sutter <phil@xxxxxx> · Fri, 2 Feb 2024 14:52:58 +0100

Analogous to XTTYPE_UINT*RC value parsing, assert consecutive port
values are not lower than previous ones.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 extensions/libxt_conntrack.t | 8 ++++----
 extensions/libxt_dccp.t      | 4 ++--
 extensions/libxt_udp.t       | 4 ++--
 libxtables/xtoptions.c       | 7 ++++++-
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
index 620e7b5436e88..5e27ddce4fe6e 100644
--- a/extensions/libxt_conntrack.t
+++ b/extensions/libxt_conntrack.t
@@ -34,22 +34,22 @@
 -m conntrack --ctorigsrcport 4:;-m conntrack --ctorigsrcport 4:65535;OK
 -m conntrack --ctorigsrcport 3:4;=;OK
 -m conntrack --ctorigsrcport 4:4;-m conntrack --ctorigsrcport 4;OK
--m conntrack --ctorigsrcport 4:3;=;OK
+-m conntrack --ctorigsrcport 4:3;;FAIL
 -m conntrack --ctreplsrcport :;-m conntrack --ctreplsrcport 0:65535;OK
 -m conntrack --ctreplsrcport :4;-m conntrack --ctreplsrcport 0:4;OK
 -m conntrack --ctreplsrcport 4:;-m conntrack --ctreplsrcport 4:65535;OK
 -m conntrack --ctreplsrcport 3:4;=;OK
 -m conntrack --ctreplsrcport 4:4;-m conntrack --ctreplsrcport 4;OK
--m conntrack --ctreplsrcport 4:3;=;OK
+-m conntrack --ctreplsrcport 4:3;;FAIL
 -m conntrack --ctorigdstport :;-m conntrack --ctorigdstport 0:65535;OK
 -m conntrack --ctorigdstport :4;-m conntrack --ctorigdstport 0:4;OK
 -m conntrack --ctorigdstport 4:;-m conntrack --ctorigdstport 4:65535;OK
 -m conntrack --ctorigdstport 3:4;=;OK
 -m conntrack --ctorigdstport 4:4;-m conntrack --ctorigdstport 4;OK
--m conntrack --ctorigdstport 4:3;=;OK
+-m conntrack --ctorigdstport 4:3;;FAIL
 -m conntrack --ctrepldstport :;-m conntrack --ctrepldstport 0:65535;OK
 -m conntrack --ctrepldstport :4;-m conntrack --ctrepldstport 0:4;OK
 -m conntrack --ctrepldstport 4:;-m conntrack --ctrepldstport 4:65535;OK
 -m conntrack --ctrepldstport 3:4;=;OK
 -m conntrack --ctrepldstport 4:4;-m conntrack --ctrepldstport 4;OK
--m conntrack --ctrepldstport 4:3;=;OK
+-m conntrack --ctrepldstport 4:3;;FAIL
diff --git a/extensions/libxt_dccp.t b/extensions/libxt_dccp.t
index 535891a556394..3655ab6f4b7fc 100644
--- a/extensions/libxt_dccp.t
+++ b/extensions/libxt_dccp.t
@@ -10,12 +10,12 @@
 -p dccp -m dccp --sport :4;-p dccp -m dccp --sport 0:4;OK
 -p dccp -m dccp --sport 4:;-p dccp -m dccp --sport 4:65535;OK
 -p dccp -m dccp --sport 4:4;-p dccp -m dccp --sport 4;OK
--p dccp -m dccp --sport 4:3;=;OK
+-p dccp -m dccp --sport 4:3;;FAIL
 -p dccp -m dccp --dport :;-p dccp -m dccp --dport 0:65535;OK
 -p dccp -m dccp --dport :4;-p dccp -m dccp --dport 0:4;OK
 -p dccp -m dccp --dport 4:;-p dccp -m dccp --dport 4:65535;OK
 -p dccp -m dccp --dport 4:4;-p dccp -m dccp --dport 4;OK
--p dccp -m dccp --dport 4:3;=;OK
+-p dccp -m dccp --dport 4:3;;FAIL
 -p dccp -m dccp ! --sport 1;=;OK
 -p dccp -m dccp ! --sport 65535;=;OK
 -p dccp -m dccp ! --dport 1;=;OK
diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t
index d62dd5e3f830e..09dff363fc21a 100644
--- a/extensions/libxt_udp.t
+++ b/extensions/libxt_udp.t
@@ -11,13 +11,13 @@
 -p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK
 -p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK
 -p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK
--p udp -m udp --sport 4:3;=;OK
+-p udp -m udp --sport 4:3;;FAIL
 -p udp -m udp --dport :;-p udp -m udp;OK
 -p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp
 -p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK
 -p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK
 -p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK
--p udp -m udp --dport 4:3;=;OK
+-p udp -m udp --dport 4:3;;FAIL
 -p udp -m udp ! --sport 1;=;OK
 -p udp -m udp ! --sport 65535;=;OK
 -p udp -m udp ! --dport 1;=;OK
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index cecf7d3526112..0a995a63a2a88 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -604,7 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
 	const struct xt_option_entry *entry = cb->entry;
 	char *lo_arg, *wp_arg, *arg;
 	unsigned int maxiter;
-	int value;
+	int value, prev = 0;
 
 	wp_arg = lo_arg = xtables_strdup(cb->arg);
 
@@ -634,6 +634,11 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
 			xt_params->exit_err(PARAMETER_PROBLEM,
 				"Port \"%s\" does not resolve to "
 				"anything.\n", arg);
+		if (value < prev)
+			xt_params->exit_err(PARAMETER_PROBLEM,
+				"Port range %d-%d is negative.\n",
+				prev, value);
+		prev = value;
 		if (entry->flags & XTOPT_NBO)
 			value = htons(value);
 		if (cb->nvals < ARRAY_SIZE(cb->val.port_range))
-- 
2.43.0








