@@ -237,6 +237,11 @@ nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
bitwise->sreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_BITWISE_SREG);
@@ -252,6 +257,11 @@ nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
bitwise->dreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_BITWISE_DREG);
@@ -225,6 +225,9 @@ nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, char *xml)
if (tmp > UINT32_MAX || tmp < 0 || *endptr)
goto err;
+ if (tmp > NFT_REG_MAX)
+ goto err;
+
byteorder->sreg = tmp;
e->flags |= (1 << NFT_EXPR_BYTEORDER_SREG);
@@ -236,6 +239,9 @@ nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, char *xml)
if (tmp > UINT32_MAX || tmp < 0 || *endptr)
goto err;
+ if (tmp > NFT_REG_MAX)
+ goto err;
+
byteorder->dreg = tmp;
e->flags |= (1 << NFT_EXPR_BYTEORDER_DREG);
@@ -203,6 +203,11 @@ static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
cmp->sreg = (uint8_t)tmp;
e->flags |= (1 << NFT_EXPR_CMP_SREG);
}
@@ -177,6 +177,9 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml)
if (tmp > UINT8_MAX || tmp < 0 || *endptr)
goto err;
+ if (tmp > NFT_REG_MAX)
+ goto err;
+
ct->dreg = tmp;
e->flags |= (1 << NFT_EXPR_CT_DREG);
@@ -205,6 +205,11 @@ nft_rule_expr_exthdr_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
exthdr->dreg = tmp;
e->flags |= (1 << NFT_EXPR_EXTHDR_DREG);
}
@@ -236,6 +236,11 @@ nft_rule_expr_immediate_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
imm->dreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_IMM_DREG);
@@ -204,6 +204,11 @@ nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
lookup->sreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_LOOKUP_SREG);
@@ -217,6 +222,11 @@ nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
lookup->dreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_LOOKUP_DREG);
}
@@ -163,6 +163,11 @@ static int nft_rule_expr_meta_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
meta->dreg = (uint8_t)tmp;
e->flags |= (1 << NFT_EXPR_META_DREG);
@@ -200,6 +200,11 @@ nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, char *xml)
return -1;
}
+ if (tmp > NFT_REG_MAX) {
+ mxmlDelete(tree);
+ return -1;
+ }
+
payload->dreg = (uint32_t)tmp;
e->flags |= (1 << NFT_EXPR_PAYLOAD_DREG);
}
This patchs add validations for all exprs that uses nft_registers to use a value < NFT_REG_MAX.. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> --- src/expr/bitwise.c | 10 ++++++++++ src/expr/byteorder.c | 6 ++++++ src/expr/cmp.c | 5 +++++ src/expr/ct.c | 3 +++ src/expr/exthdr.c | 5 +++++ src/expr/immediate.c | 5 +++++ src/expr/lookup.c | 10 ++++++++++ src/expr/meta.c | 5 +++++ src/expr/payload.c | 5 +++++ 9 files changed, 54 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html