diff options
author | Phil Sutter <phil@nwl.cc> | 2022-12-15 16:06:11 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-12-20 21:49:38 +0100 |
commit | f2c5e52863ea48838e9b9246ed94419053673b88 (patch) | |
tree | d549099764c08b08c27cf8fb92f0cf7bf4c34553 /iptables | |
parent | d96d0791901c10d4edf599b3da069ca3d9acfcc5 (diff) |
arptables: Check the mandatory ar_pln match
This match is added by nft_arp_add() to every rule with same value, so
when parsing just check it is as expected and otherwise ignore it. This
allows to treat matches on all other offsets/lengths as error.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-arp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index d670cbe6..edf17952 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -214,7 +214,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, struct arpt_entry *fw = &cs->arp; struct in_addr addr; uint16_t ar_hrd, ar_pro, ar_op; - uint8_t ar_hln; + uint8_t ar_hln, ar_pln; bool inv; switch (reg->payload.offset) { @@ -246,6 +246,11 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, if (inv) fw->arp.invflags |= IPT_INV_ARPOP; break; + case offsetof(struct arphdr, ar_pln): + get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); + if (ar_pln != 4 || inv) + ctx->errmsg = "unexpected ARP protocol length match"; + break; default: if (reg->payload.offset == sizeof(struct arphdr)) { if (nft_arp_parse_devaddr(reg, e, &fw->arp.src_devaddr)) |