payload: only assert if l2 header base has no length

commit 9cc41467c75ab6beb35e0d7c34d04acd1a44861b upstream.

nftables will assert in some cases because the sanity check is done even
for network and transport header bases.

However, stacked headers are only supported for the link layer.
Move the assertion around and add a test case for this.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/payload.c b/src/payload.c
index 184bc245dbda3307d51a88e0ec27596efd74454b..43e3c30eee460667ab1567f94e07fa8b77ce0d98 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -114,11 +114,10 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
 
        assert(desc->base <= PROTO_BASE_MAX);
        if (desc->base == base->base) {
-               assert(base->length > 0);
-
                if (!left->payload.is_raw) {
                        if (desc->base == PROTO_BASE_LL_HDR &&
                            ctx->stacked_ll_count < PROTO_CTX_NUM_PROTOS) {
+                               assert(base->length > 0);
                                ctx->stacked_ll[ctx->stacked_ll_count] = base;
                                ctx->stacked_ll_count++;
                        }

diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert
new file mode 100644 (file)
index 0000000..64bd596
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/payload_expr_pctx_update_assert
@@ -0,0 +1 @@
+x x comp nexthdr comp