git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 12 Feb 2024 15:46:29 +0000 (16:46 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 22 Jan 2025 23:41:55 +0000 (00:41 +0100)
commit	836c73d6ca3491fbb1941a7935768c11d627143d
tree	0b5857022f7e3985fd250c5d1d6c84c98ae7a524	tree \| snapshot
parent	05dda2dc5278d2654a213184d8e891ae09ad6def	commit \| diff

evaluate: permit use of host-endian constant values in set lookup keys

commit c0080feb0d034913409944d23873cce4bf9edf9e upstream.

AFL found following crash:

table ip filter {
map ipsec_in {
typeof ipsec in reqid . iif : verdict
flags interval
}

chain INPUT {
type filter hook input priority filter; policy drop;
ipsec in reqid . 100 @ipsec_in
}
}

Which yields:
nft: evaluate.c:1213: expr_evaluate_unary: Assertion `!expr_is_constant(arg)' failed.

All existing test cases with constant values use big endian values, but
"iif" expects host endian values.

As raw values were not supported before, concat byteorder conversion
doesn't handle constants.

Fix this:

1. Add constant handling so that the number is converted in-place,
   without unary expression.

2. Add the inverse handling on delinearization for non-interval set
   types.
   When dissecting the concat data soup, watch for integer constants where
   the datatype indicates host endian integer.

Last, extend an existing test case with the afl input to cover
in/output.

A new test case is added to test linearization, delinearization and
matching.

Based on original patch from Florian Westphal, patch subject and
description wrote by him.

Fixes: b422b07ab2f9 ("src: permit use of constant values in set lookup keys")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/netlink.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history