nft: Fix bitwise expression avoidance detection

Byte-boundary prefix detection was too sloppy: Any data following the first zero-byte was ignored. Add a follow-up loop making sure there are no stray bits in the designated host part. Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2021-02-19 16:54:57 +0100
committer: Phil Sutter <phil@nwl.cc> 2021-03-09 09:27:17 +0100
commit: 330f5df03ad589b46865ceedf2a54cf10a4225ba (patch)
tree: f1884d4455cb5934037248e920dc3525af43b361 /iptables/nft-shared.c
parent: 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 10553ab2..c1664b50 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
 {
 	const unsigned char *m = mask;
 	bool bitwise = false;
-	int i;
+	int i, j;
 
 	for (i = 0; i < len; i++) {
 		if (m[i] != 0xff) {
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
 			break;
 		}
 	}
+	for (j = i + 1; !bitwise && j < len; j++)
+		bitwise = !!m[j];
 
 	if (!bitwise)
 		len = i;
author	Phil Sutter <phil@nwl.cc>	2021-02-19 16:54:57 +0100
committer	Phil Sutter <phil@nwl.cc>	2021-03-09 09:27:17 +0100
commit	330f5df03ad589b46865ceedf2a54cf10a4225ba (patch)
tree	f1884d4455cb5934037248e920dc3525af43b361 /iptables/nft-shared.c
parent	5f1fcacebf9b4529950b6e3f88327049a0ea7cd2 (diff)