evaluate: check XOR RHS operand is a constant value

Now that we support non-constant RHS side in binary operations,
reject XOR with non-constant key: we cannot transfer the expression.

Fixes: 54bfc38c522b ("src: allow binop expressions with variable right-hand operands")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 8f037601c45fe985d20ccbc4386c74c086b13710..0a430c827210179e4954c6d6ceb3da19c8c6d50f 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2578,16 +2578,20 @@ static int binop_can_transfer(struct eval_ctx *ctx,
 
        switch (left->op) {
        case OP_LSHIFT:
+               assert(left->right->etype == EXPR_VALUE);
+               assert(right->etype == EXPR_VALUE);
+
                if (mpz_scan1(right->value, 0) < mpz_get_uint32(left->right->value))
                        return expr_binary_error(ctx->msgs, right, left,
                                                 "Comparison is always false");
                return 1;
        case OP_RSHIFT:
+               assert(left->right->etype == EXPR_VALUE);
                if (ctx->ectx.len < right->len + mpz_get_uint32(left->right->value))
                        ctx->ectx.len += mpz_get_uint32(left->right->value);
                return 1;
        case OP_XOR:
-               return 1;
+               return expr_is_constant(left->right);
        default:
                return 0;
        }