nft: Increase rule parser strictness

Catch more unexpected conditions. Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2022-12-15 15:08:01 +0100
committer: Phil Sutter <phil@nwl.cc> 2022-12-20 21:49:38 +0100
commit: 9075c3aa983d96c4331cb28fab5f30afd52bbb21 (patch)
tree: 05160cf21b97dae51290a77922c087cb1b49e6f2 /iptables/nft-ipv6.c
parent: f2c5e52863ea48838e9b9246ed94419053673b88 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 3a373b7e..e9892185 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -173,10 +173,12 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
 		if (inv)
 			cs->fw6.ipv6.invflags |= IP6T_INV_PROTO;
 	case offsetof(struct ip6_hdr, ip6_hlim):
-		nft_parse_hl(ctx, e, cs);
+		if (nft_parse_hl(ctx, e, cs) < 0)
+			ctx->errmsg = "invalid ttl field match";
 		break;
 	default:
 		DEBUGP("unknown payload offset %d\n", reg->payload.offset);
+		ctx->errmsg = "unknown payload offset";
 		break;
 	}
 }
author	Phil Sutter <phil@nwl.cc>	2022-12-15 15:08:01 +0100
committer	Phil Sutter <phil@nwl.cc>	2022-12-20 21:49:38 +0100
commit	9075c3aa983d96c4331cb28fab5f30afd52bbb21 (patch)
tree	05160cf21b97dae51290a77922c087cb1b49e6f2 /iptables/nft-ipv6.c
parent	f2c5e52863ea48838e9b9246ed94419053673b88 (diff)