提交 08b5194b 编写于 作者: T Thomas Jacob 提交者: Patrick McHardy

netfilter: xt_iprange: Incorrect xt_iprange boundary check for IPv6

iprange_ipv6_sub was substracting 2 unsigned ints and then casting
the result to int to find out whether they are lt, eq or gt each
other, this doesn't work if the full 32 bits of each part
can be used in IPv6 addresses. Patch should remedy that without
significant performance penalties. Also number of ntohl
calls can be reduced this way (Jozsef Kadlecsik).
Signed-off-by: NThomas Jacob <jacob@internet24.de>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
上级 c71caf41
...@@ -53,15 +53,13 @@ iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -53,15 +53,13 @@ iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
} }
static inline int static inline int
iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b) iprange_ipv6_lt(const struct in6_addr *a, const struct in6_addr *b)
{ {
unsigned int i; unsigned int i;
int r;
for (i = 0; i < 4; ++i) { for (i = 0; i < 4; ++i) {
r = ntohl(a->s6_addr32[i]) - ntohl(b->s6_addr32[i]); if (a->s6_addr32[i] != b->s6_addr32[i])
if (r != 0) return ntohl(a->s6_addr32[i]) < ntohl(b->s6_addr32[i]);
return r;
} }
return 0; return 0;
...@@ -75,15 +73,15 @@ iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -75,15 +73,15 @@ iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
bool m; bool m;
if (info->flags & IPRANGE_SRC) { if (info->flags & IPRANGE_SRC) {
m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0; m = iprange_ipv6_lt(&iph->saddr, &info->src_min.in6);
m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0; m |= iprange_ipv6_lt(&info->src_max.in6, &iph->saddr);
m ^= !!(info->flags & IPRANGE_SRC_INV); m ^= !!(info->flags & IPRANGE_SRC_INV);
if (m) if (m)
return false; return false;
} }
if (info->flags & IPRANGE_DST) { if (info->flags & IPRANGE_DST) {
m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0; m = iprange_ipv6_lt(&iph->daddr, &info->dst_min.in6);
m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0; m |= iprange_ipv6_lt(&info->dst_max.in6, &iph->daddr);
m ^= !!(info->flags & IPRANGE_DST_INV); m ^= !!(info->flags & IPRANGE_DST_INV);
if (m) if (m)
return false; return false;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册