evaluate: clone unary expression datatype to deal with dynamic datatype

upstream faa6908fad6053ae9549c45b88d0402cc69cf1ed commit.

When allocating a unary expression, clone the datatype to deal with
dynamic datatypes.

Fixes: 6b01bb9ff798 ("datatype: concat expression only releases dynamically allocated datatype")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index bc27041621f1823e45955f15620f4f09515a7c75..bdd7d4582978a7ddc1e8599985a58e1f75a674f3 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1127,7 +1127,7 @@ static int expr_evaluate_unary(struct eval_ctx *ctx, struct expr **expr)
                BUG("invalid unary operation %u\n", unary->op);
        }
 
-       unary->dtype     = arg->dtype;
+       unary->dtype     = dtype_clone(arg->dtype);
        unary->byteorder = byteorder;
        unary->len       = arg->len;
        return 0;

diff --git a/tests/shell/testcases/maps/dumps/vmap_unary.nft b/tests/shell/testcases/maps/dumps/vmap_unary.nft
new file mode 100644 (file)
index 0000000..46c538b
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_unary.nft
@@ -0,0 +1,11 @@
+table ip filter {
+       map ipsec_in {
+               typeof ipsec in reqid . iif : verdict
+               flags interval
+       }
+
+       chain INPUT {
+               type filter hook input priority filter; policy drop;
+               ipsec in reqid . iif vmap @ipsec_in
+       }
+}

diff --git a/tests/shell/testcases/maps/vmap_unary b/tests/shell/testcases/maps/vmap_unary
new file mode 100755 (executable)
index 0000000..4038d1c
--- /dev/null
+++ b/tests/shell/testcases/maps/vmap_unary
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip filter {
+       map ipsec_in {
+               typeof ipsec in reqid . iif : verdict
+               flags interval
+       }
+
+       chain INPUT {
+               type filter hook input priority 0; policy drop
+               ipsec in reqid . iif vmap @ipsec_in
+       }
+}"
+
+$NFT -f - <<< $RULESET