diff options
| author | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2005-04-22 11:05:37 +0000 |
|---|---|---|
| committer | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2005-04-22 11:05:37 +0000 |
| commit | d4b7454fab4c841cfb66100f91690f604c414fdd (patch) | |
| tree | a23ff0766175829d45a01b7cc87536bf7514eb3f /sbin/pfctl/parse.y | |
| parent | bb7eeb6788cc4643c489b2ebe3d081a57e6599b4 (diff) | |
Catch bad flags, ie. flags that always evaluate to false. This happens
if there are flags on the lefthandside that are masked off by the
righthand side.
ok mcbride@ (long time ago) dhartmei@ henning@
Diffstat (limited to 'sbin/pfctl/parse.y')
| -rw-r--r-- | sbin/pfctl/parse.y | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 179898f4f08..99d590539c1 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.482 2005/03/07 13:20:03 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.483 2005/04/22 11:05:36 camield Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1543,11 +1543,15 @@ pfrule : action dir logquick interface route af proto fromto YYERROR; } r.match_tag_not = $9.match_tag_not; - r.flags = $9.flags.b1; - r.flagset = $9.flags.b2; if (rule_label(&r, $9.label)) YYERROR; free($9.label); + r.flags = $9.flags.b1; + r.flagset = $9.flags.b2; + if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { + yyerror("flags always false"); + YYERROR; + } if ($9.flags.b1 || $9.flags.b2 || $8.src_os) { for (proto = $7; proto != NULL && proto->proto != IPPROTO_TCP; |