From: Florian Westphal <fw@strlen.de>
Date: Fri, 8 Dec 2023 18:38:33 +0000 (+0100)
Subject: evaluate: fix bogus assertion failure with boolean datatype
X-Git-Tag: v1.1.0~165
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=567937b5560fbcc7f6b74fb43c52e1cab2ac425a;p=thirdparty%2Fnftables.git

evaluate: fix bogus assertion failure with boolean datatype

The assertion is too strict, as found by afl++:

typeof iifname . ip saddr . meta ipsec
elements = { "eth0" . 10.1.1.2 . 1 }

meta ipsec is boolean (1 bit), but datasize of 1 is set at 8 bit.

Fixes: 22b750aa6dc9 ("src: allow use of base integer types as set keys in concatenations")
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index 715c398a..1b3e8097 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4679,14 +4679,15 @@ static int set_expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
 						 "expressions",
 						 i->dtype->name);
 
-		if (i->dtype->size)
-			assert(i->len == i->dtype->size);
-
 		flags &= i->flags;
 
 		ntype = concat_subtype_add(ntype, i->dtype->type);
 
 		dsize_bytes = div_round_up(i->len, BITS_PER_BYTE);
+
+		if (i->dtype->size)
+			assert(dsize_bytes == div_round_up(i->dtype->size, BITS_PER_BYTE));
+
 		(*expr)->field_len[(*expr)->field_count++] = dsize_bytes;
 		size += netlink_padded_len(i->len);
 	}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
index 6f5b83af..63fc5b14 100644
--- a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
@@ -55,6 +55,11 @@ table inet t {
 		elements = { 3567 . 1.2.3.4 }
 	}
 
+	set s12 {
+		typeof iifname . ip saddr . meta ipsec
+		elements = { "eth0" . 10.1.1.2 . exists }
+	}
+
 	chain c1 {
 		osf name @s1 accept
 	}
@@ -94,4 +99,8 @@ table inet t {
 	chain c11 {
 		vlan id . ip saddr @s11 accept
 	}
+
+	chain c12 {
+		iifname . ip saddr . meta ipsec @s12 accept
+	}
 }
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
index 92555a1f..016227da 100755
--- a/tests/shell/testcases/sets/typeof_sets_0
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -113,6 +113,10 @@ INPUT="table inet t {$INPUT_OSF_SET
 		typeof vlan id . ip saddr
 		elements = { 3567 . 1.2.3.4 }
 	}
+	set s12 {
+		typeof meta iifname . ip saddr . meta ipsec
+		elements = { \"eth0\" . 10.1.1.2 . 1 }
+	}
 $INPUT_OSF_CHAIN
 	chain c2 {
 		ether type vlan vlan id @s2 accept
@@ -138,6 +142,10 @@ $INPUT_VERSION_CHAIN
 	chain c11 {
 		ether type vlan vlan id . ip saddr @s11 accept
 	}
+
+	chain c12 {
+		meta iifname . ip saddr . meta ipsec @s12 accept
+	}
 }"
 
 EXPECTED="table inet t {$INPUT_OSF_SET
@@ -181,6 +189,11 @@ $INPUT_VERSION_SET
 		typeof vlan id . ip saddr
 		elements = { 3567 . 1.2.3.4 }
 	}
+
+	set s12 {
+		typeof iifname . ip saddr . meta ipsec
+		elements = { \"eth0\" . 10.1.1.2 . exists }
+	}
 $INPUT_OSF_CHAIN
 	chain c2 {
 		vlan id @s2 accept
@@ -205,6 +218,10 @@ $INPUT_SCTP_CHAIN$INPUT_VERSION_CHAIN
 	chain c11 {
 		vlan id . ip saddr @s11 accept
 	}
+
+	chain c12 {
+		iifname . ip saddr . meta ipsec @s12 accept
+	}
 }"