From 9075c3aa983d96c4331cb28fab5f30afd52bbb21 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 15 Dec 2022 15:08:01 +0100
Subject: nft: Increase rule parser strictness

Catch more unexpected conditions.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-ipv6.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'iptables/nft-ipv6.c')

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 3a373b7e..e9892185 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -173,10 +173,12 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
 		if (inv)
 			cs->fw6.ipv6.invflags |= IP6T_INV_PROTO;
 	case offsetof(struct ip6_hdr, ip6_hlim):
-		nft_parse_hl(ctx, e, cs);
+		if (nft_parse_hl(ctx, e, cs) < 0)
+			ctx->errmsg = "invalid ttl field match";
 		break;
 	default:
 		DEBUGP("unknown payload offset %d\n", reg->payload.offset);
+		ctx->errmsg = "unknown payload offset";
 		break;
 	}
 }
-- 
cgit v1.2.3