optimize: segfault when releasing unsupported statement

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 1 Jun 2022 08:14:22 +0000 (10:14 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 1 Jun 2022 08:35:16 +0000 (10:35 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 1 Jun 2022 08:14:22 +0000 (10:14 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 1 Jun 2022 08:35:16 +0000 (10:35 +0200)
diff --git a/src/optimize.c b/src/optimize.c

index d6dfffec3c86153baa13f458cd4dadef9a43e92a..3a3049d43690b640ef14141941b819e2bf6b670a 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
                         clone->nat.type_flags = stmt->nat.type_flags;
                         break;
                 default:
-                       stmt_free(clone);
+                       xfree(clone);
                         continue;
                 }
  
diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft

index 05b9e575c272aa41f763a6ffe7d968fa72e79543..c981acf0a77ceac8e15a11aeec3be79e3eaa7777 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
@@ -1,4 +1,10 @@
  table ip x {
+       set s {
+               type ipv4_addr
+               size 65535
+               flags dynamic
+       }
+
         chain filter_in_tcp {
         }
  
@@ -6,6 +12,7 @@ table ip x {
         }
  
         chain y {
+               update @s { ip saddr limit rate 12/minute burst 30 packets } accept
                 tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }
                 meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }
                 log
diff --git a/tests/shell/testcases/optimizations/merge_vmaps b/tests/shell/testcases/optimizations/merge_vmaps

index 0922a221bd6d7c94a008b406bad156d1ad6790ab..e2e4be1560c5f4f9006caaa1c187306dc8373410 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_vmaps
+++ b/tests/shell/testcases/optimizations/merge_vmaps
@@ -3,11 +3,16 @@
  set -e
  
  RULESET="table ip x {
+       set s {
+               type ipv4_addr
+               flags dynamic
+       }
         chain filter_in_tcp {
         }
         chain filter_in_udp {
         }
         chain y {
+               update @s { ip saddr limit rate 12/minute burst 30 packets } accept
                 tcp dport vmap {
                         80 : accept,
                         81 : accept,
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 1 Jun 2022 08:14:22 +0000 (10:14 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 1 Jun 2022 08:35:16 +0000 (10:35 +0200)
src/optimize.c		patch \| blob \| blame \| history
tests/shell/testcases/optimizations/dumps/merge_vmaps.nft		patch \| blob \| blame \| history
tests/shell/testcases/optimizations/merge_vmaps		patch \| blob \| blame \| history