From: Florian Westphal <fw@strlen.de>
Date: Fri, 12 Jan 2024 12:32:17 +0000 (+0100)
Subject: rule: do not crash if to-be-printed flowtable lacks priority
X-Git-Tag: v1.0.6.1~201
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6636cc2553c514596a9cc766867d9c552c20702;p=thirdparty%2Fnftables.git

rule: do not crash if to-be-printed flowtable lacks priority

commit b40bebbcee3602e2d849e48f3a50676bd8987204 upstream.

Print an empty flowtable rather than crashing when dereferencing
flowtable->priority.expr (its NULL).

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/rule.c b/src/rule.c
index 5c610d6d..863c34d0 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2266,12 +2266,15 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
 	if (nft_output_handle(octx))
 		nft_print(octx, " # handle %" PRIu64, flowtable->handle.handle.id);
 	nft_print(octx, "%s", opts->nl);
-	nft_print(octx, "%s%shook %s priority %s%s",
-		  opts->tab, opts->tab,
-		  hooknum2str(NFPROTO_NETDEV, flowtable->hook.num),
-		  prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV,
-			   flowtable->hook.num, flowtable->priority.expr),
-		  opts->stmt_separator);
+
+	if (flowtable->priority.expr) {
+		nft_print(octx, "%s%shook %s priority %s%s",
+			  opts->tab, opts->tab,
+			  hooknum2str(NFPROTO_NETDEV, flowtable->hook.num),
+			  prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV,
+				   flowtable->hook.num, flowtable->priority.expr),
+			  opts->stmt_separator);
+	}
 
 	if (flowtable->dev_array_len > 0) {
 		nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);
diff --git a/tests/shell/testcases/bogons/flowtable-no-priority-crash b/tests/shell/testcases/bogons/flowtable-no-priority-crash
new file mode 100644
index 00000000..b327a2bd
--- /dev/null
+++ b/tests/shell/testcases/bogons/flowtable-no-priority-crash
@@ -0,0 +1,6 @@
+reset rules
+table inet filter {
+	flowtable f {
+		devices = { lo }
+	}
+}