git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 12 Jan 2024 12:19:26 +0000 (13:19 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 20 Mar 2024 17:50:03 +0000 (18:50 +0100)
commit	ea011231c06cbe828cf6056bc9c3d116e1f528d5
tree	320bdd5136bf3d2c82b2417c1863e091b12d7e98	tree
parent	840cb6df16973139a1981fcec276f59d3b92bb46	commit \| diff

src: do not merge a set with a erroneous one

The included sample causes a crash because we attempt to
range-merge a prefix expression with a symbolic expression.

The first set is evaluated, the symbol expression evaluation fails
and nft queues an error message ("Could not resolve hostname").

However, nft continues evaluation.

nft then encounters the same set definition again and merges the
new content with the preceeding one.

But the first set structure is dodgy, it still contains the
unresolved symbolic expression.

That then makes nft crash (assert) in the set internals.

There are various different incarnations of this issue, but the low
level set processing code does not allow for any partially transformed
expressions to still remain.

Before:
nft --check -f tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop
BUG: invalid range expression type binop
nft: src/expression.c:1479: range_expr_value_low: Assertion `0' failed.

After:
nft --check -f tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop
invalid_range_expr_type_binop:4:18-25: Error: Could not resolve hostname: Name or service not known
elements = { 1&.141.0.1 - 192.168.0.2}
^^^^^^^^

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/rule.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/intervals.c		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/invalid_range_expr_type_binop	[new file with mode: 0644]	blob