From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 6 Dec 2023 12:40:22 +0000 (+0100)
Subject: evaluate: reject set definition with no key
X-Git-Tag: v1.0.6.1~309
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4e17cbfd950f315d55b8ed2333c13cc19a49772;p=thirdparty%2Fnftables.git

evaluate: reject set definition with no key

commit 1949a63215b423b914d3a7a9de7511cb48af3c09 upstream.

 tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert
 BUG: unhandled key type 2
 nft: src/intervals.c:59: setelem_expr_to_range: Assertion `0' failed.

This patch adds a new unit tests/shell courtesy of Florian Westphal.

Fixes: 3975430b12d9 ("src: expand table command before evaluation")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index fbba4be2..124b23e5 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4411,6 +4411,12 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 	struct stmt *stmt;
 	const char *type;
 
+	type = set_is_map(set->flags) ? "map" : "set";
+
+	if (set->key == NULL)
+		return set_error(ctx, set, "%s definition does not specify key",
+				 type);
+
 	if (!set_is_anonymous(set->flags)) {
 		table = table_cache_find(&ctx->nft->cache.table_cache,
 					 set->handle.table.name,
@@ -4434,8 +4440,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 	if (!(set->flags & NFT_SET_INTERVAL) && set->automerge)
 		return set_error(ctx, set, "auto-merge only works with interval sets");
 
-	type = set_is_map(set->flags) ? "map" : "set";
-
 	if (set->key == NULL)
 		return set_error(ctx, set, "%s definition does not specify key",
 				 type);