From a852022d719e5a414df41a10c331f4492e9d3073 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Fri, 22 Dec 2023 15:30:09 +0100 Subject: [PATCH] datatype: do not assert when value exceeds expected width Inputs: ip protocol . th dport { tcp / 22, }' or th dport . ip protocol { tcp / 22, }' are not rejected at this time. 'list ruleset' yields: ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed. or th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed. While this should be caught at input too, the print path should be more robust, e.g. when there are direct nfnetlink users. After this patch, the print functions fall back to 'integer_type_print' which can handle large numbers too. Note that the output printed this way cannot be read back by nft; it will dump something like: tcp dport & 18446739675663040512 . ip protocol 0 . 0 but thats better than assert(). v2: same problem exists for service too. Signed-off-by: Florian Westphal --- src/datatype.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/datatype.c b/src/datatype.c index 3b19ae8e..099e7580 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -715,7 +715,8 @@ const struct datatype ip6addr_type = { static void inet_protocol_type_print(const struct expr *expr, struct output_ctx *octx) { - if (!nft_output_numeric_proto(octx)) { + if (!nft_output_numeric_proto(octx) && + mpz_cmp_ui(expr->value, UINT8_MAX) <= 0) { char name[NFT_PROTONAME_MAXSIZE]; if (nft_getprotobynumber(mpz_get_uint8(expr->value), name, sizeof(name))) { @@ -796,7 +797,8 @@ static void inet_service_print(const struct expr *expr, struct output_ctx *octx) void inet_service_type_print(const struct expr *expr, struct output_ctx *octx) { - if (nft_output_service(octx)) { + if (nft_output_service(octx) && + mpz_cmp_ui(expr->value, UINT16_MAX) <= 0) { inet_service_print(expr, octx); return; } -- 2.47.3