diff options
| author | Phil Sutter <phil@nwl.cc> | 2026-01-28 20:29:51 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2026-01-30 17:21:18 +0100 |
| commit | 7f5f85f5c1d29cffd62f6343b91c498256b4972a (patch) | |
| tree | c2680eda1122cde10aa1a8a838ae034758d62980 | |
| parent | 85a19cead8eb889fb1a01a25f292cf208b2adf50 (diff) | |
ruleparse: arp: Fix for all-zero mask on Big Endian
With 16bit mask values, the first two bytes of bitwise.mask in struct
nft_xt_ctx_reg are significant. Reading the first 32bit-sized field
works only on Little Endian, on Big Endian the mask appears in the upper
two bytes which are discarded when assigning to a 16bit variable.
Fixes: ab2d5f8c7bbee ("nft-arp: add missing mask support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | iptables/nft-ruleparse-arp.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/iptables/nft-ruleparse-arp.c b/iptables/nft-ruleparse-arp.c index b0671cb0..632e7ac9 100644 --- a/iptables/nft-ruleparse-arp.c +++ b/iptables/nft-ruleparse-arp.c @@ -90,7 +90,8 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, if (inv) fw->arp.invflags |= IPT_INV_ARPHRD; if (reg->bitwise.set) - fw->arp.arhrd_mask = reg->bitwise.mask[0]; + memcpy(&fw->arp.arhrd_mask, reg->bitwise.mask, + sizeof(fw->arp.arhrd_mask)); break; case offsetof(struct arphdr, ar_pro): get_cmp_data(e, &ar_pro, sizeof(ar_pro), &inv); @@ -99,7 +100,8 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, if (inv) fw->arp.invflags |= IPT_INV_PROTO; if (reg->bitwise.set) - fw->arp.arpro_mask = reg->bitwise.mask[0]; + memcpy(&fw->arp.arpro_mask, reg->bitwise.mask, + sizeof(fw->arp.arpro_mask)); break; case offsetof(struct arphdr, ar_op): get_cmp_data(e, &ar_op, sizeof(ar_op), &inv); @@ -108,7 +110,8 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, if (inv) fw->arp.invflags |= IPT_INV_ARPOP; if (reg->bitwise.set) - fw->arp.arpop_mask = reg->bitwise.mask[0]; + memcpy(&fw->arp.arpop_mask, reg->bitwise.mask, + sizeof(fw->arp.arpop_mask)); break; case offsetof(struct arphdr, ar_hln): get_cmp_data(e, &ar_hln, sizeof(ar_hln), &inv); @@ -117,7 +120,8 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, if (inv) fw->arp.invflags |= IPT_INV_ARPHLN; if (reg->bitwise.set) - fw->arp.arhln_mask = reg->bitwise.mask[0]; + memcpy(&fw->arp.arhln_mask, reg->bitwise.mask, + sizeof(fw->arp.arhln_mask)); break; case offsetof(struct arphdr, ar_pln): get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); |