summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2024-01-24 23:29:46 +0100
committerPhil Sutter <phil@nwl.cc>2024-02-02 18:26:14 +0100
commit30a7f11234a81bd2389c7e7224769b1fdd192239 (patch)
tree7b4a1674937105e49e531f06e49b7309596759a9
parent285406b1d22e3ed0aec30ea0a534ea76211156a9 (diff)
libxtables: xtoptions: Assert ranges are monotonic increasing
Extensions commonly require the upper range value to be larger or equal to the lower one. Performing this check in the parser is easier and covers all extensions at once. One notable exception is NFQUEUE which requires strict monotonicity. Hence leave its checks in place. Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat
-rw-r--r--extensions/libebt_stp.c21
-rw-r--r--extensions/libip6t_ah.t2
-rw-r--r--extensions/libip6t_frag.t2
-rw-r--r--extensions/libip6t_rt.t2
-rw-r--r--extensions/libipt_ah.t2
-rw-r--r--extensions/libxt_connbytes.c4
-rw-r--r--extensions/libxt_conntrack.t2
-rw-r--r--extensions/libxt_esp.t2
-rw-r--r--extensions/libxt_ipcomp.t2
-rw-r--r--extensions/libxt_length.t2
-rw-r--r--libxtables/xtoptions.c9
11 files changed, 22 insertions, 28 deletions
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
index 371fa04c..189e36a5 100644
--- a/extensions/libebt_stp.c
+++ b/extensions/libebt_stp.c
@@ -139,36 +139,33 @@ static void brstp_parse(struct xt_option_call *cb)
cb->val.ethermacmask, ETH_ALEN);
break;
-#define RANGE_ASSIGN(name, fname, val) { \
+#define RANGE_ASSIGN(fname, val) { \
stpinfo->config.fname##l = val[0]; \
stpinfo->config.fname##u = cb->nvals > 1 ? val[1] : val[0]; \
- if (stpinfo->config.fname##u < stpinfo->config.fname##l) \
- xtables_error(PARAMETER_PROBLEM, \
- "Bad --stp-" name " range"); \
}
case O_RPRIO:
- RANGE_ASSIGN("root-prio", root_prio, cb->val.u16_range);
+ RANGE_ASSIGN(root_prio, cb->val.u16_range);
break;
case O_RCOST:
- RANGE_ASSIGN("root-cost", root_cost, cb->val.u32_range);
+ RANGE_ASSIGN(root_cost, cb->val.u32_range);
break;
case O_SPRIO:
- RANGE_ASSIGN("sender-prio", sender_prio, cb->val.u16_range);
+ RANGE_ASSIGN(sender_prio, cb->val.u16_range);
break;
case O_PORT:
- RANGE_ASSIGN("port", port, cb->val.u16_range);
+ RANGE_ASSIGN(port, cb->val.u16_range);
break;
case O_MSGAGE:
- RANGE_ASSIGN("msg-age", msg_age, cb->val.u16_range);
+ RANGE_ASSIGN(msg_age, cb->val.u16_range);
break;
case O_MAXAGE:
- RANGE_ASSIGN("max-age", max_age, cb->val.u16_range);
+ RANGE_ASSIGN(max_age, cb->val.u16_range);
break;
case O_HTIME:
- RANGE_ASSIGN("hello-time", hello_time, cb->val.u16_range);
+ RANGE_ASSIGN(hello_time, cb->val.u16_range);
break;
case O_FWDD:
- RANGE_ASSIGN("forward-delay", forward_delay, cb->val.u16_range);
+ RANGE_ASSIGN(forward_delay, cb->val.u16_range);
break;
#undef RANGE_ASSIGN
}
diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t
index 77c5383c..eeba7b45 100644
--- a/extensions/libip6t_ah.t
+++ b/extensions/libip6t_ah.t
@@ -18,4 +18,4 @@
-m ah --ahspi :3;-m ah --ahspi 0:3;OK
-m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK
-m ah --ahspi 3:3;-m ah --ahspi 3;OK
--m ah --ahspi 4:3;=;OK
+-m ah --ahspi 4:3;;FAIL
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t
index a8907670..57f7da27 100644
--- a/extensions/libip6t_frag.t
+++ b/extensions/libip6t_frag.t
@@ -5,7 +5,7 @@
-m frag --fragid 42:;-m frag --fragid 42:4294967295;OK
-m frag --fragid 1:42;=;OK
-m frag --fragid 3:3;-m frag --fragid 3;OK
--m frag --fragid 4:3;=;OK
+-m frag --fragid 4:3;;FAIL
-m frag --fraglen 42;=;OK
-m frag --fragres;=;OK
-m frag --fragfirst;=;OK
diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t
index 2699e800..56c8b077 100644
--- a/extensions/libip6t_rt.t
+++ b/extensions/libip6t_rt.t
@@ -8,4 +8,4 @@
-m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK
-m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK
-m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK
--m rt --rt-segsleft 4:3;=;OK
+-m rt --rt-segsleft 4:3;;FAIL
diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t
index a2aa338f..d86ede60 100644
--- a/extensions/libipt_ah.t
+++ b/extensions/libipt_ah.t
@@ -16,4 +16,4 @@
-p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK
-p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK
-p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK
--p ah -m ah --ahspi 4:3;=;OK
+-p ah -m ah --ahspi 4:3;;FAIL
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index b57f0fc0..2f110857 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -41,10 +41,6 @@ static void connbytes_parse(struct xt_option_call *cb)
if (cb->nvals == 2)
sinfo->count.to = cb->val.u64_range[1];
- if (sinfo->count.to < sinfo->count.from)
- xtables_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
- (unsigned long long)sinfo->count.from,
- (unsigned long long)sinfo->count.to);
if (cb->invert) {
i = sinfo->count.from;
sinfo->count.from = sinfo->count.to;
diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
index 399d70ab..620e7b54 100644
--- a/extensions/libxt_conntrack.t
+++ b/extensions/libxt_conntrack.t
@@ -18,7 +18,7 @@
-m conntrack --ctexpire 42949672956;;FAIL
-m conntrack --ctexpire -1;;FAIL
-m conntrack --ctexpire 3:3;-m conntrack --ctexpire 3;OK
--m conntrack --ctexpire 4:3;=;OK
+-m conntrack --ctexpire 4:3;;FAIL
-m conntrack --ctdir ORIGINAL;=;OK
-m conntrack --ctdir REPLY;=;OK
-m conntrack --ctstatus NONE;=;OK
diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t
index a8bc5287..686611f2 100644
--- a/extensions/libxt_esp.t
+++ b/extensions/libxt_esp.t
@@ -10,6 +10,6 @@
-p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK
-p esp -m esp --espspi 3:4;=;OK
-p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK
--p esp -m esp --espspi 4:3;=;OK
+-p esp -m esp --espspi 4:3;;FAIL
-p esp -m esp;=;OK
-m esp;;FAIL
diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t
index f62144ae..375f885a 100644
--- a/extensions/libxt_ipcomp.t
+++ b/extensions/libxt_ipcomp.t
@@ -7,4 +7,4 @@
-p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK
-p ipcomp -m ipcomp --ipcompspi 3:4;=;OK
-p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK
--p ipcomp -m ipcomp --ipcompspi 4:3;=;OK
+-p ipcomp -m ipcomp --ipcompspi 4:3;;FAIL
diff --git a/extensions/libxt_length.t b/extensions/libxt_length.t
index 3905d2d0..bae313b4 100644
--- a/extensions/libxt_length.t
+++ b/extensions/libxt_length.t
@@ -9,5 +9,5 @@
-m length --length 0:65536;;FAIL
-m length --length -1:65535;;FAIL
-m length --length 4:4;-m length --length 4;OK
--m length --length 4:3;=;OK
+-m length --length 4:3;;FAIL
-m length;;FAIL
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index f622f4c6..cecf7d35 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -291,8 +291,8 @@ static void xtopt_parse_mint(struct xt_option_call *cb)
size_t esize = xtopt_esize_by_type(entry->type);
const uintmax_t lmax = xtopt_max_by_type(entry->type);
void *put = XTOPT_MKPTR(cb);
+ uintmax_t value, lmin = 0;
unsigned int maxiter;
- uintmax_t value;
char *end = "";
char sep = ':';
@@ -314,16 +314,17 @@ static void xtopt_parse_mint(struct xt_option_call *cb)
end = (char *)arg;
value = (cb->nvals == 1) ? lmax : 0;
} else {
- if (!xtables_strtoul(arg, &end, &value, 0, lmax))
+ if (!xtables_strtoul(arg, &end, &value, lmin, lmax))
xt_params->exit_err(PARAMETER_PROBLEM,
"%s: bad value for option \"--%s\" near "
- "\"%s\", or out of range (0-%ju).\n",
- cb->ext_name, entry->name, arg, lmax);
+ "\"%s\", or out of range (%ju-%ju).\n",
+ cb->ext_name, entry->name, arg, lmin, lmax);
if (*end != '\0' && *end != sep)
xt_params->exit_err(PARAMETER_PROBLEM,
"%s: Argument to \"--%s\" has "
"unexpected characters near \"%s\".\n",
cb->ext_name, entry->name, end);
+ lmin = value;
}
xtopt_mint_value_to_cb(cb, value);
++cb->nvals;