[PATCH nft] src: Check range bounds before converting to prefix

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft] src: Check range bounds before converting to prefix
@ 2021-09-06  3:06 Xiao Liang
  2021-09-06  9:13 ` Pablo Neira Ayuso
  2021-09-06 20:04 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Xiao Liang @ 2021-09-06  3:06 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Xiao Liang

The lower bound must be the first value of the prefix to be coverted.
For example, range "10.0.0.15-10.0.0.240" can not be converted to
"10.0.0.15/24". Validate it by checking if the lower bound value has
enough trailing zeros.

Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
---
 src/netlink.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index cbf9d436..0fd0b664 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1079,12 +1079,15 @@ struct expr *range_expr_to_prefix(struct expr *range)
 
 	if (mpz_bitmask_is_prefix(bitmask, len)) {
 		prefix_len = mpz_bitmask_to_prefix(bitmask, len);
-		prefix = prefix_expr_alloc(&range->location, expr_get(left),
-					   prefix_len);
-		mpz_clear(bitmask);
-		expr_free(range);
-
-		return prefix;
+		if (mpz_scan1(left->value, 0) >= len - prefix_len) {
+			prefix = prefix_expr_alloc(&range->location,
+						   expr_get(left),
+						   prefix_len);
+			mpz_clear(bitmask);
+			expr_free(range);
+
+			return prefix;
+		}
 	}
 	mpz_clear(bitmask);
 
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH nft] src: Check range bounds before converting to prefix
  2021-09-06  3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
@ 2021-09-06  9:13 ` Pablo Neira Ayuso
  2021-09-06 12:57   ` Xiao Liang
  2021-09-06 20:04 ` Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-06  9:13 UTC (permalink / raw)
  To: Xiao Liang; +Cc: netfilter-devel

Hi,

On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> The lower bound must be the first value of the prefix to be coverted.
> For example, range "10.0.0.15-10.0.0.240" can not be converted to
> "10.0.0.15/24". Validate it by checking if the lower bound value has
> enough trailing zeros.

# nft add rule x y ip saddr 10.0.0.15-10.0.0.240
# nft list ruleset
...
        ip saddr 10.0.0.15-10.0.0.240

Is a different range that triggers the problem?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH nft] src: Check range bounds before converting to prefix
  2021-09-06  9:13 ` Pablo Neira Ayuso
@ 2021-09-06 12:57   ` Xiao Liang
  0 siblings, 0 replies; 4+ messages in thread
From: Xiao Liang @ 2021-09-06 12:57 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Mon, Sep 6, 2021 at 5:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> Hi,
>
> On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> > The lower bound must be the first value of the prefix to be coverted.
> > For example, range "10.0.0.15-10.0.0.240" can not be converted to
> > "10.0.0.15/24". Validate it by checking if the lower bound value has
> > enough trailing zeros.
>
> # nft add rule x y ip saddr 10.0.0.15-10.0.0.240
> # nft list ruleset
> ...
>         ip saddr 10.0.0.15-10.0.0.240
>
> Is a different range that triggers the problem?

Hi,

Please try
# nft add rule x y snat to 10.0.0.15-10.0.0.240

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH nft] src: Check range bounds before converting to prefix
  2021-09-06  3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
  2021-09-06  9:13 ` Pablo Neira Ayuso
@ 2021-09-06 20:04 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-06 20:04 UTC (permalink / raw)
  To: Xiao Liang; +Cc: netfilter-devel

On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> The lower bound must be the first value of the prefix to be coverted.
> For example, range "10.0.0.15-10.0.0.240" can not be converted to
> "10.0.0.15/24". Validate it by checking if the lower bound value has
> enough trailing zeros.

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-09-06 20:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-06  3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
2021-09-06  9:13 ` Pablo Neira Ayuso
2021-09-06 12:57   ` Xiao Liang
2021-09-06 20:04 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).