From: Florian Westphal <fw@strlen.de>
Date: Mon, 17 Mar 2025 11:56:36 +0000 (+0100)
Subject: evaluate: move interval flag compat check after set key evaluation
X-Git-Tag: v1.1.2~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e50cd6b063d64c2e72b0e32bc36dd5a22f75c06;p=thirdparty%2Fnftables.git

evaluate: move interval flag compat check after set key evaluation

Without this, included bogon asserts with:
BUG: unhandled key type 13
nft: src/intervals.c:73: setelem_expr_to_range: Assertion `0' failed.

... because we no longer evaluate set->key/data.

Move the check to the tail of the function, right before assiging
set->existing_set, so that set->key has been evaluated.

Fixes: ceab53cee499 ("evaluate: don't allow merging interval set/map with non-interval one")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index d59993dc..f1f7ddaa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5088,9 +5088,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 				if (existing_flags == new_flags)
 					set->flags |= NFT_SET_EVAL;
 			}
-
-			if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
-				return set_error(ctx, set, "existing %s lacks interval flag", type);
 		} else {
 			set_cache_add(set_get(set), table);
 		}
@@ -5181,6 +5178,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 		return 0;
 	}
 
+	if (existing_set && set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
+		return set_error(ctx, set, "existing %s lacks interval flag", type);
+
 	set->existing_set = existing_set;
 
 	return 0;
diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
new file mode 100644
index 00000000..56f541a6
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
@@ -0,0 +1,13 @@
+table inet t {
+        map m2 {
+                typeof udp length . @ih,32,32 : verdict
+                elements = {
+                             1-10 . 0xa : drop }
+        }
+
+	map m2 {
+                typeof udp length . @ih,32,32 : verdict
+                flags interval
+                elements = { 20-80 . 0x14 : accept }
+        }
+}