json: prevent null deref if chain->policy is not set

The two commits mentioned below resolved null dererence crashes when the
policy resp. priority keyword was missing in the chain/flowtable
specification.

Same issue exists in the json output path, so apply similar fix there
and extend the existing test cases.

Fixes: 5b37479b42b3 ("nftables: don't crash in 'list ruleset' if policy is not set")
Fixes: b40bebbcee36 ("rule: do not crash if to-be-printed flowtable lacks priority")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>

diff --git a/src/json.c b/src/json.c
index cbed9ce9ccb73c776ee22136725fd23cd00685fa..e64bbf5768b25e76c162a1d19be723a15dcc528b 100644 (file)
--- a/src/json.c
+++ b/src/json.c
@@ -300,8 +300,14 @@ static json_t *chain_print_json(const struct chain *chain)
        if (chain->flags & CHAIN_F_BASECHAIN) {
                mpz_export_data(&priority, chain->priority.expr->value,
                                BYTEORDER_HOST_ENDIAN, sizeof(int));
-               mpz_export_data(&policy, chain->policy->value,
-                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+
+               if (chain->policy) {
+                       mpz_export_data(&policy, chain->policy->value,
+                                       BYTEORDER_HOST_ENDIAN, sizeof(int));
+               } else {
+                       policy = NF_ACCEPT;
+               }
+
                tmp = json_pack("{s:s, s:s, s:i, s:s}",
                                "type", chain->type.str,
                                "hook", hooknum2str(chain->handle.family,
@@ -476,10 +482,13 @@ static json_t *obj_print_json(const struct obj *obj)
 static json_t *flowtable_print_json(const struct flowtable *ftable)
 {
        json_t *root, *devs = NULL;
-       int i, priority;
+       int i, priority = 0;
+
+       if (ftable->priority.expr) {
+               mpz_export_data(&priority, ftable->priority.expr->value,
+                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+       }
 
-       mpz_export_data(&priority, ftable->priority.expr->value,
-                       BYTEORDER_HOST_ENDIAN, sizeof(int));
        root = json_pack("{s:s, s:s, s:s, s:I, s:s, s:i}",
                        "family", family2str(ftable->handle.family),
                        "name", ftable->handle.flowtable.name,

diff --git a/tests/shell/testcases/bogons/nft-j-f/flowtable-no-priority-crash b/tests/shell/testcases/bogons/nft-j-f/flowtable-no-priority-crash
new file mode 100644 (file)
index 0000000..f348da9
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-j-f/flowtable-no-priority-crash
@@ -0,0 +1,6 @@
+table ip filter {
+       flowtable ft1 {
+               devices = { lo }
+       }
+}
+list ruleset

diff --git a/tests/shell/testcases/nft-f/0021list_ruleset_0 b/tests/shell/testcases/nft-f/0021list_ruleset_0
index 37729b4f86d9c18eb7f79e0f295bcc62fb3beb1c..f3c3749be907a15a158e7900e9824c35b979bc0f 100755 (executable)
--- a/tests/shell/testcases/nft-f/0021list_ruleset_0
+++ b/tests/shell/testcases/nft-f/0021list_ruleset_0
@@ -12,4 +12,9 @@ RULESET="table filter {
 list  ruleset
 "
 
-exec $NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET"
+
+if [ "$NFT_TEST_HAVE_json" != n ]; then
+       $NFT flush ruleset
+       $NFT -j -f - <<< "$RULESET"
+fi