svn commit: r361624 - head/sys/netpfil/ipfw

Fri May 29 10:37:43 UTC 2020

Author: ae
Date: Fri May 29 10:37:42 2020
New Revision: 361624
URL: https://svnweb.freebsd.org/changeset/base/361624

Log:
  Fix O_IP_FLOW_LOOKUP opcode handling.
  
  Do not check table value matching when table lookup has failed.
  
  Reported by:	Sergey Lobanov
  MFC after:	1 week

Modified:
  head/sys/netpfil/ipfw/ip_fw2.c

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================

--- head/sys/netpfil/ipfw/ip_fw2.c	Fri May 29 10:09:47 2020	(r361623)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Fri May 29 10:37:42 2020	(r361624)
@@ -2106,6 +2106,8 @@ do {								\
 					uint32_t v = 0;
 					match = ipfw_lookup_table(chain,
 					    cmd->arg1, 0, &args->f_id, &v);
+					if (!match)
+						break;
 					if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
 						match = ((ipfw_insn_u32 *)cmd)->d[0] ==
 						    TARG_VAL(chain, v, tag);
