diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-03-23 12:52:39 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-03-28 10:26:34 +0200 |
commit | 3c64ea7995cbbc4f1d9d7707f907667325eb62b9 (patch) | |
tree | 3aa5d47e697ac56eef78f980bccd20618c638e9c | |
parent | 1cdd8249f1c9c462b40ccde8d56191ea481ce610 (diff) |
evaluate: honor statement length in integer evaluation
Otherwise, bogus error is reported:
# nft --debug=netlink add rule ip x y 'ct mark set ip dscp & 0x0f << 1 | 0xff000000'
Error: Value 4278190080 exceeds valid range 0-63
add rule ip x y ct mark set ip dscp & 0x0f << 1 | 0xff000000
^^^^^^^^^^
Use the statement length as the maximum value in the mark statement
expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 97752c0f..4178be4e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -389,6 +389,7 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp) { struct expr *expr = *exprp; char *valstr, *rangestr; + uint32_t masklen; mpz_t mask; if (ctx->ectx.maxval > 0 && @@ -401,7 +402,12 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp) return -1; } - mpz_init_bitmask(mask, ctx->ectx.len); + if (ctx->stmt_len > ctx->ectx.len) + masklen = ctx->stmt_len; + else + masklen = ctx->ectx.len; + + mpz_init_bitmask(mask, masklen); if (mpz_cmp(expr->value, mask) > 0) { valstr = mpz_get_str(NULL, 10, expr->value); rangestr = mpz_get_str(NULL, 10, mask); @@ -414,7 +420,7 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp) return -1; } expr->byteorder = ctx->ectx.byteorder; - expr->len = ctx->ectx.len; + expr->len = masklen; mpz_clear(mask); return 0; } |