arptables: Check the mandatory ar_pln match

This match is added by nft_arp_add() to every rule with same value, so
when parsing just check it is as expected and otherwise ignore it. This
allows to treat matches on all other offsets/lengths as error.

Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index d670cbe629fe4104d3e8dfa5d82b43e1f399c6be..edf179521e35544c951ab4f91e9ff030bc9b5840 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -214,7 +214,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
        struct arpt_entry *fw = &cs->arp;
        struct in_addr addr;
        uint16_t ar_hrd, ar_pro, ar_op;
-       uint8_t ar_hln;
+       uint8_t ar_hln, ar_pln;
        bool inv;
 
        switch (reg->payload.offset) {
@@ -246,6 +246,11 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
                if (inv)
                        fw->arp.invflags |= IPT_INV_ARPOP;
                break;
+       case offsetof(struct arphdr, ar_pln):
+               get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv);
+               if (ar_pln != 4 || inv)
+                       ctx->errmsg = "unexpected ARP protocol length match";
+               break;
        default:
                if (reg->payload.offset == sizeof(struct arphdr)) {
                        if (nft_arp_parse_devaddr(reg, e, &fw->arp.src_devaddr))