src: add rule_stmt_insert_at() and use it

This helper function adds a statement at a given position and it updates
the rule statement counter.

This patch fixes this:

flush table bridge test-bridge
add rule bridge test-bridge input vlan id 1 ip saddr 10.0.0.1
rule.c:2870:5: runtime error: index 2 out of bounds for type 'stmt *[*]'
=================================================================
==1043==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdd69c1350 at pc 0x7f1036f53330 bp 0x7ffdd69c1300 sp 0x7ffdd69c12f8
WRITE of size 8 at 0x7ffdd69c1350 thread T0
    #0 0x7f1036f5332f in payload_try_merge /home/mbr/nftables/src/rule.c:2870
    #1 0x7f1036f534b7 in rule_postprocess /home/mbr/nftables/src/rule.c:2885
    #2 0x7f1036fb2785 in rule_evaluate /home/mbr/nftables/src/evaluate.c:3744
    #3 0x7f1036fb627b in cmd_evaluate_add /home/mbr/nftables/src/evaluate.c:3982
    #4 0x7f1036fbb9e9 in cmd_evaluate /home/mbr/nftables/src/evaluate.c:4462
    #5 0x7f10370652d2 in nft_evaluate /home/mbr/nftables/src/libnftables.c:414
    #6 0x7f1037065ba1 in nft_run_cmd_from_buffer /home/mbr/nftables/src/libnftables.c:447

Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index ac69b30673e82069798503f1686d84a5413c0b91..5311b56301651248d74f0255db5e86fb44038439 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -280,6 +280,9 @@ extern void rule_print(const struct rule *rule, struct output_ctx *octx);
 extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle);
 extern struct rule *rule_lookup_by_index(const struct chain *chain,
                                         uint64_t index);
+void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt,
+                        struct stmt *stmt);
+
 
 /**
  * struct set - nftables set

diff --git a/src/evaluate.c b/src/evaluate.c
index 59714131700034ba155b0d3adf06771def1b6c36..4cf28987049b403a6607c1f353ebbd74ae52c5e1 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -659,7 +659,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
                if (err < 0)
                        return err;
 
-               list_add_tail(&nstmt->list, &ctx->stmt->list);
+               rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
        }
 
        assert(base <= PROTO_BASE_MAX);
@@ -673,7 +673,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
                return 1;
 
        payload->payload.offset += ctx->pctx.protocol[base].offset;
-       list_add_tail(&nstmt->list, &ctx->stmt->list);
+       rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
 
        return 0;
 }
@@ -698,7 +698,8 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr)
        if (desc == NULL) {
                if (payload_gen_dependency(ctx, payload, &nstmt) < 0)
                        return -1;
-               list_add_tail(&nstmt->list, &ctx->stmt->list);
+
+               rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
        } else {
                /* No conflict: Same payload protocol as context, adjust offset
                 * if needed.
@@ -840,8 +841,8 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct)
        relational_expr_pctx_update(&ctx->pctx, dep);
 
        nstmt = expr_stmt_alloc(&dep->location, dep);
+       rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
 
-       list_add_tail(&nstmt->list, &ctx->stmt->list);
        return 0;
 }
 

diff --git a/src/rule.c b/src/rule.c
index 23b1cbfc8fb20f6d353c7c360ebcc5d156bf229d..0759bec5f1a03f477f997e173c4fc45b6d97adaf 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -686,6 +686,13 @@ struct rule *rule_lookup_by_index(const struct chain *chain, uint64_t index)
        return NULL;
 }
 
+void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt,
+                        struct stmt *stmt)
+{
+       list_add_tail(&nstmt->list, &stmt->list);
+       rule->num_stmts++;
+}
+
 struct scope *scope_alloc(void)
 {
        struct scope *scope = xzalloc(sizeof(struct scope));