rule: make cmd_free(NULL) valid

bison uses cmd_free($$) as destructor, but base_cmd can
set it to NULL, e.g.

  |       ELEMENT         set_spec        set_block_expr
  {
    if (nft_cmd_collapse_elems(CMD_ADD, state->cmds, &$2, $3)) {
       handle_free(&$2);
       expr_free($3);
       $$ = NULL;   // cmd set to NULL
       break;
    }
    $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);

expr_free(NULL) is legal, cmd_free() causes crash.  So just allow
this to avoid cluttering parser_bison.y with "if ($$)".

Also add the afl-generated bogon input to the test files.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/rule.c b/src/rule.c
index 151ed531969c25fadd3fc8ee7c0479f686bdfa26..cc43cd18b7c7275ff337520579af5f461b7eda7f 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1372,6 +1372,9 @@ void monitor_free(struct monitor *m)
 
 void cmd_free(struct cmd *cmd)
 {
+       if (cmd == NULL)
+               return;
+
        handle_free(&cmd->handle);
        if (cmd->data != NULL) {
                switch (cmd->obj) {

diff --git a/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
new file mode 100644 (file)
index 0000000..6a42aa9
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
@@ -0,0 +1,20 @@
+nt      rootepep test- {
+* : 1:3 }
+        element root tesip {
+* : 1:3 }
+        elent   rootsel s1 {
+        typ�    elements < { "Linux" }
+        }
+tatlet e t {
+        thataepep test- {
+* : 1:3 }
+        element root tesip {
+* : 1:3 }�      table Cridgents < t {
+list            set y p
+        type i , {
+        sel s1 {
+        typ�    elements < { "Linux" }
+        }
+tatlet e t {
+        thatable Cridgents < t {
+lis