parser_json: Catch wrong "reset" payload

The statement happily accepted any valid expression as payload and
assumed it to be a tcpopt expression (actually, a special case of
exthdr). Add a check to make sure this is the case.

Standard syntax does not provide this flexibility, so no need to have
the check there as well.

Fixes: 5d837d270d5a8 ("src: add tcp option reset support")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/src/parser_json.c b/src/parser_json.c
index e8a175de8067638d222730d433f745eff437fe87..9532f7be04d67ee0412f0e78ea03818af5198120 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2797,7 +2797,14 @@ static struct stmt *json_parse_optstrip_stmt(struct json_ctx *ctx,
 {
        struct expr *expr = json_parse_expr(ctx, value);
 
-       return expr ? optstrip_stmt_alloc(int_loc, expr) : NULL;
+       if (!expr ||
+           expr->etype != EXPR_EXTHDR ||
+           expr->exthdr.op != NFT_EXTHDR_OP_TCPOPT) {
+               json_error(ctx, "Illegal TCP optstrip argument");
+               return NULL;
+       }
+
+       return optstrip_stmt_alloc(int_loc, expr);
 }
 
 static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root)