From: Florian Westphal Date: Fri, 22 Dec 2023 14:30:09 +0000 (+0100) Subject: datatype: do not assert when value exceeds expected width X-Git-Tag: v1.0.6.1~263 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ffca846fd3dcfc336f3176e3adbfbb817b69e0d;p=thirdparty%2Fnftables.git datatype: do not assert when value exceeds expected width commit a852022d719e5a414df41a10c331f4492e9d3073 upstream. Inputs: ip protocol . th dport { tcp / 22, }' or th dport . ip protocol { tcp / 22, }' are not rejected at this time. 'list ruleset' yields: ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed. or th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed. While this should be caught at input too, the print path should be more robust, e.g. when there are direct nfnetlink users. After this patch, the print functions fall back to 'integer_type_print' which can handle large numbers too. Note that the output printed this way cannot be read back by nft; it will dump something like: tcp dport & 18446739675663040512 . ip protocol 0 . 0 but thats better than assert(). v2: same problem exists for service too. Signed-off-by: Florian Westphal --- diff --git a/src/datatype.c b/src/datatype.c index 675faa08..fa279a5a 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -618,7 +618,8 @@ static void inet_protocol_type_print(const struct expr *expr, { struct protoent *p; - if (!nft_output_numeric_proto(octx)) { + if (!nft_output_numeric_proto(octx) && + mpz_cmp_ui(expr->value, UINT8_MAX) <= 0) { p = getprotobynumber(mpz_get_uint8(expr->value)); if (p != NULL) { nft_print(octx, "%s", p->p_name); @@ -697,7 +698,8 @@ static void inet_service_print(const struct expr *expr, struct output_ctx *octx) void inet_service_type_print(const struct expr *expr, struct output_ctx *octx) { - if (nft_output_service(octx)) { + if (nft_output_service(octx) && + mpz_cmp_ui(expr->value, UINT16_MAX) <= 0) { inet_service_print(expr, octx); return; }