diff options
author | Phil Sutter <phil@nwl.cc> | 2021-02-19 16:54:57 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2021-03-09 09:27:17 +0100 |
commit | 330f5df03ad589b46865ceedf2a54cf10a4225ba (patch) | |
tree | f1884d4455cb5934037248e920dc3525af43b361 /iptables/nft-shared.c | |
parent | 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2 (diff) |
nft: Fix bitwise expression avoidance detection
Byte-boundary prefix detection was too sloppy: Any data following the
first zero-byte was ignored. Add a follow-up loop making sure there are
no stray bits in the designated host part.
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-shared.c')
-rw-r--r-- | iptables/nft-shared.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 10553ab2..c1664b50 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, { const unsigned char *m = mask; bool bitwise = false; - int i; + int i, j; for (i = 0; i < len; i++) { if (m[i] != 0xff) { @@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, break; } } + for (j = i + 1; !bitwise && j < len; j++) + bitwise = !!m[j]; if (!bitwise) len = i; |