parser_json: reject empty jump/goto chain

When parsing a verdict map json where element jumps to chain represented
as empty string.

internal:0:0-0: Error: Parsing list expression item at index 0 failed.
internal:0:0-0: Error: Invalid set elem at index 0.
internal:0:0-0: Error: Invalid set elem expression.
internal:0:0-0: Error: Parsing command array at index 2 failed.

Fixes: 586ad210368b ("libnftables: Implement JSON parser")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/parser_json.c b/src/parser_json.c
index 9d5ec2275b30d8c1feaf3577c2ab99827dc29a2d..053dd81a076f7e26e64e69dbe076bf4dc6f918c1 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1360,9 +1360,13 @@ static struct expr *json_parse_verdict_expr(struct json_ctx *ctx,
                if (strcmp(type, verdict_tbl[i].name))
                        continue;
 
-               if (verdict_tbl[i].need_chain &&
-                   json_unpack_err(ctx, root, "{s:s}", "target", &chain))
-                       return NULL;
+               if (verdict_tbl[i].need_chain) {
+                       if (json_unpack_err(ctx, root, "{s:s}", "target", &chain))
+                               return NULL;
+
+                       if (!chain || chain[0] == '\0')
+                               return NULL;
+               }
 
                return verdict_expr_alloc(int_loc, verdict_tbl[i].verdict,
                                          json_alloc_chain_expr(chain));