From: Florian Westphal <fw@strlen.de>
Date: Tue, 19 Dec 2023 11:14:37 +0000 (+0100)
Subject: intervals: BUG on prefix expressions without value
X-Git-Tag: v1.0.6.1~267
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=536aa4cd4d20ac15ee7b045ff8f4dbc38b06b4dc;p=thirdparty%2Fnftables.git

intervals: BUG on prefix expressions without value

commit 49721e28db3e7b28f443bf963547c12f4dcf856d upstream.

Its possible to end up with prefix expressions that have
a symbolic expression, e.g.:

table t {
        set s {
                type inet_service
                flags interval
                elements = { 172.16.0.0/16 }
        }

        set s {
                type inet_service
                flags interval
                elements = { 0-1024, 8080-8082, 10000-40000 }
        }
}

Without this change, nft will crash.  We end up in setelem_expr_to_range()
with prefix "/16" for the symbolic expression "172.16.0.0".

We than pass invalid mpz_t pointer into libgmp.

This isn't a real fix, but instead of blindly assuming that the attached
expression has a gmp value die with at least some info.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/intervals.c b/src/intervals.c
index d79c52c5..af48d5ec 100644
--- a/src/intervals.c
+++ b/src/intervals.c
@@ -24,6 +24,9 @@ static void setelem_expr_to_range(struct expr *expr)
 	case EXPR_RANGE:
 		break;
 	case EXPR_PREFIX:
+		if (expr->key->prefix->etype != EXPR_VALUE)
+			BUG("Prefix for unexpected type %d", expr->key->prefix->etype);
+
 		mpz_init(rop);
 		mpz_bitmask(rop, expr->key->len - expr->key->prefix_len);
 		if (expr_basetype(expr)->type == TYPE_STRING)