@@ -85,18 +85,20 @@ static void set_attr_grp_repl_port(struct nf_conntrack *ct, const void *value)
static void set_attr_grp_icmp(struct nf_conntrack *ct, const void *value)
{
- uint8_t rtype;
+ uint8_t rtype = 0;
const struct nfct_attr_grp_icmp *this = value;
ct->head.orig.l4dst.icmp.type = this->type;
switch(ct->head.orig.l3protonum) {
case AF_INET:
- rtype = invmap_icmp[this->type];
+ if (this->type < ARRAY_SIZE(invmap_icmp))
+ rtype = invmap_icmp[this->type];
break;
case AF_INET6:
- rtype = invmap_icmpv6[this->type - 128];
+ if (this->type - 128 < ARRAY_SIZE(invmap_icmp))
+ rtype = invmap_icmpv6[this->type - 128];
break;
default:
@@ -124,17 +124,20 @@ set_attr_repl_zone(struct nf_conntrack *ct, const void *value, size_t len)
static void
set_attr_icmp_type(struct nf_conntrack *ct, const void *value, size_t len)
{
- uint8_t rtype;
+ uint8_t type = *((uint8_t *) value);
+ uint8_t rtype = 0;
- ct->head.orig.l4dst.icmp.type = *((uint8_t *) value);
+ ct->head.orig.l4dst.icmp.type = type;
switch(ct->head.orig.l3protonum) {
case AF_INET:
- rtype = invmap_icmp[*((uint8_t *) value)];
+ if (type < ARRAY_SIZE(invmap_icmp))
+ rtype = invmap_icmp[type];
break;
case AF_INET6:
- rtype = invmap_icmpv6[*((uint8_t *) value) - 128];
+ if (type - 128 < ARRAY_SIZE(invmap_icmpv6))
+ rtype = invmap_icmpv6[type - 128];
break;
default:
When type is out of range for the invmap_icmp{,v6} array we leave rtype at zero which will map to type=255 just like other error cases in this function. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> --- src/conntrack/grp_setter.c | 8 +++++--- src/conntrack/setter.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-)