evaluate: honor statement length in integer evaluation

Otherwise, bogus error is reported:

 # nft --debug=netlink add rule ip x y 'ct mark set ip dscp & 0x0f << 1 | 0xff000000'
 Error: Value 4278190080 exceeds valid range 0-63
 add rule ip x y ct mark set ip dscp & 0x0f << 1 | 0xff000000
                                                   ^^^^^^^^^^

Use the statement length as the maximum value in the mark statement
expression.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 97752c0f7b66ee7675098942d479750ec6511176..4178be4e1d6f422b04570756a0e3a6a0a9f2f067 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -389,6 +389,7 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp)
 {
        struct expr *expr = *exprp;
        char *valstr, *rangestr;
+       uint32_t masklen;
        mpz_t mask;
 
        if (ctx->ectx.maxval > 0 &&
@@ -401,7 +402,12 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp)
                return -1;
        }
 
-       mpz_init_bitmask(mask, ctx->ectx.len);
+       if (ctx->stmt_len > ctx->ectx.len)
+               masklen = ctx->stmt_len;
+       else
+               masklen = ctx->ectx.len;
+
+       mpz_init_bitmask(mask, masklen);
        if (mpz_cmp(expr->value, mask) > 0) {
                valstr = mpz_get_str(NULL, 10, expr->value);
                rangestr = mpz_get_str(NULL, 10, mask);
@@ -414,7 +420,7 @@ static int expr_evaluate_integer(struct eval_ctx *ctx, struct expr **exprp)
                return -1;
        }
        expr->byteorder = ctx->ectx.byteorder;
-       expr->len = ctx->ectx.len;
+       expr->len = masklen;
        mpz_clear(mask);
        return 0;
 }