]> git.ipfire.org Git - thirdparty/nftables.git/commit
projects / thirdparty / nftables.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 08925ba) | patch
parser_bison: fix objref statement corruption
authorFlorian Westphal <fw@strlen.de>
Fri, 8 Dec 2023 18:41:39 +0000 (19:41 +0100)
committerFlorian Westphal <fw@strlen.de>
Mon, 11 Dec 2023 16:11:06 +0000 (17:11 +0100)
commit78dffb470fcf7b1c0b1b3d6f43fcc056c337a808
tree992d35cb625668d220a1ab0c5fa5c5c19fd25240tree
parent08925ba0daf19753df933fed69f4572a7c9d3d47commit | diff
parser_bison: fix objref statement corruption

Consider this:

counter_stmt            :       counter_stmt_alloc
                        |       counter_stmt_alloc      counter_args

counter_stmt_alloc      :       COUNTER { $$ = counter_stmt_alloc(&@$); }
                        |       COUNTER         NAME    stmt_expr
                        {
                                $$ = objref_stmt_alloc(&@$);
                                $$->objref.type = NFT_OBJECT_COUNTER;
                                $$->objref.expr = $3;
                        }
                        ;

counter_args            :       counter_arg { $<stmt>$        = $<stmt>0; }
                        |       counter_args    counter_arg
                        ;

counter_arg             :       PACKETS NUM { $<stmt>0->counter.packets = $2; }

[..]

This has 'counter_stmt_alloc' EITHER return counter or objref statement.
Both are the same structure but with different (union'd) trailer content.

counter_stmt permits the 'packet' and 'byte' argument.

But the 'counter_arg' directive only works with a statement
coming from counter_stmt_alloc().

afl++ came up with following input:

table inet x {
        chain y {
                counter name ip saddr bytes 1.1.1. 1024
        }
}

This clobbers $<stmt>->objref.expr pointer, we then crash when
calling expr_evaluate() on it.

Split the objref related statements into their own directive.

After this, the input will fail with:
"syntax error, unexpected bytes, expecting newline or semicolon".

Also split most of the other objref statements into their own blocks.
synproxy seems to have same problem, limit and quota appeared to be ok.

v1 added objref_stmt to stateful_stmt list, this is wrong, we will
assert when generating the 'counter' statement.
Place it in the normal statement list so netlink_gen_stmt_stateful_assert
throws the expected parser error.

Fixes: dccab4f646b4 ("parser_bison: consolidate stmt_expr rule")
Signed-off-by: Florian Westphal <fw@strlen.de>
src/parser_bison.y diff | blob | blame | history
tests/shell/testcases/bogons/nft-f/counter_objref_crash [new file with mode: 0644] blob
tests/shell/testcases/bogons/nft-f/netlink_gen_stmt_stateful_assert [new file with mode: 0644] blob
Mirror of git://git.netfilter.org/nftables