It was surprisingly easy to crash nft with invalid syntax in 'add
flowtable' command. Catch at least three possible ways (illustrated in
provided test case) by making evaluation phase survive so that bison
gets a chance to complain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
if (ft->hooknum == NF_INET_NUMHOOKS)
return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
+ if (!ft->dev_expr)
+ return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+
return 0;
}
static uint32_t str2hooknum(uint32_t family, const char *hook)
{
+ if (!hook)
+ return NF_INET_NUMHOOKS;
+
switch (family) {
case NFPROTO_IPV4:
case NFPROTO_BRIDGE:
return;
if (--expr->refcnt > 0)
return;
- if (expr->ops->destroy)
+ if (expr->ops && expr->ops->destroy)
expr->ops->destroy(expr);
xfree(expr);
}
--- /dev/null
+#!/bin/bash
+
+# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands.
+
+$NFT add table ip t
+
+$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress\; priority 10\; }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress priority 10\; }
+[[ $? -eq 1 ]] || exit 1
projects / thirdparty / nftables.git / commitdiff
