From: Florian Westphal Date: Wed, 8 Jan 2025 11:30:15 +0000 (+0100) Subject: rule: make cmd_free(NULL) valid X-Git-Tag: v1.1.2~104 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=581e051ae26b503484b7634b8799a9b9b531e95d;p=thirdparty%2Fnftables.git rule: make cmd_free(NULL) valid bison uses cmd_free($$) as destructor, but base_cmd can set it to NULL, e.g. | ELEMENT set_spec set_block_expr { if (nft_cmd_collapse_elems(CMD_ADD, state->cmds, &$2, $3)) { handle_free(&$2); expr_free($3); $$ = NULL; // cmd set to NULL break; } $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3); expr_free(NULL) is legal, cmd_free() causes crash. So just allow this to avoid cluttering parser_bison.y with "if ($$)". Also add the afl-generated bogon input to the test files. Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso --- diff --git a/src/rule.c b/src/rule.c index 151ed531..cc43cd18 100644 --- a/src/rule.c +++ b/src/rule.c @@ -1372,6 +1372,9 @@ void monitor_free(struct monitor *m) void cmd_free(struct cmd *cmd) { + if (cmd == NULL) + return; + handle_free(&cmd->handle); if (cmd->data != NULL) { switch (cmd->obj) { diff --git a/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free new file mode 100644 index 00000000..6a42aa90 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free @@ -0,0 +1,20 @@ +nt rootepep test- { +* : 1:3 } + element root tesip { +* : 1:3 } + elent rootsel s1 { + typ� elements < { "Linux" } + } +tatlet e t { + thataepep test- { +* : 1:3 } + element root tesip { +* : 1:3 }� table Cridgents < t { +list set y p + type i , { + sel s1 { + typ� elements < { "Linux" } + } +tatlet e t { + thatable Cridgents < t { +lis