netlink_delinearize: add assertion to prevent infinite loop

The following configuration:

 table inet filter {
	chain input {
		ct original ip daddr {1.2.3.4} accept
	}
 }

is triggering an infinite loop.

This problem also exists with concatenations and ct ip {s,d}addr. Until
we have a solution for this, let's just prevent infinite loops.

Now we hit this:

 # nft list ruleset
 nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed.
 Abort

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 2637f4baaec4c2a20daf0923e4216e48be28d2bf..256552b5b46e309b3bd30738ab470458b940e483 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -108,6 +108,7 @@ static struct expr *netlink_parse_concat_expr(struct netlink_parse_ctx *ctx,
                                              unsigned int len)
 {
        struct expr *concat, *expr;
+       unsigned int consumed;
 
        concat = concat_expr_alloc(loc);
        while (len > 0) {
@@ -119,7 +120,9 @@ static struct expr *netlink_parse_concat_expr(struct netlink_parse_ctx *ctx,
                }
                compound_expr_add(concat, expr);
 
-               len -= netlink_padded_len(expr->len);
+               consumed = netlink_padded_len(expr->len);
+               assert(consumed > 0);
+               len -= consumed;
                reg += netlink_register_space(expr->len);
        }
        return concat;