diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-01 14:51:24 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-03 12:19:35 +0200 |
commit | 95629758a5ec36313d839f8545fef0dc220408d8 (patch) | |
tree | 87d41f7f29438af6b5ca75731282c22d0dc57a2b /src/netlink.c | |
parent | 2e0ea44c99e466ea0bcb6aca5de95e2c7284f09c (diff) |
segtree: bogus range via get set element on existing elements
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c index f795d984..7c3082bb 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1361,8 +1361,9 @@ int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h, nftnl_set_free(nls_out); ctx->set = NULL; - if (set->flags & NFT_SET_INTERVAL) - get_set_decompose(table, set); + if (set->flags & NFT_SET_INTERVAL && + get_set_decompose(table, set) < 0) + return -1; return 0; } |