git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 27 Feb 2025 14:52:10 +0000 (15:52 +0100)
committer	Florian Westphal <fw@strlen.de>
	Thu, 6 Mar 2025 03:55:43 +0000 (04:55 +0100)
commit	d199cca92f9eb296ea527f4938d5454ce0b4cc8f
tree	03d2bcb696d345dc935eca3b55dae300d8351aaa	tree
parent	01fe0f07a0ed9b3882fed82dcdfbae0ab1a3b04e	commit \| diff

expression: expr_build_udata_recurse should recurse

If we see EXPR_BINOP, recurse: ->left can be another EXPR_BINOP.

This is irrelevant for 'typeof' named sets, but for anonymous sets, the
key is derived from the concat expression that builds the lookup key for
the anonymous set.

tcp option mptcp subtype . ip daddr { mp-join. 10.0.0.1, ..

needs two binops back-to-back:

  [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
  [ bitwise reg 1 = ( reg 1 >> 0x00000004 ) ]

This bug prevents concat_expr_build_udata() from creating the userdata key
at load time.

When listing the rules, we get an assertion:
nft: src/mergesort.c:23: concat_expr_msort_value: Assertion `ilen > 0' failed.

because the set has a key with 0-length integers.

Signed-off-by: Florian Westphal <fw@strlen.de>

src/expression.c		diff \| blob \| blame \| history
tests/py/any/tcpopt.t		diff \| blob \| blame \| history
tests/py/any/tcpopt.t.json		diff \| blob \| blame \| history
tests/py/any/tcpopt.t.payload		diff \| blob \| blame \| history