netlink_delinarize: don't check for set element if set is not populated

0065_icmp_postprocessing: line 13: Segmentation fault $NFT insert rule ip x foo index 1 accept

Since no listing is done, cache isn't populated and 'nft insert' will trip over
set->init == NULL during postprocessing of the existing 'icmp id 42' expression.

Fixes: 9a5574e2d4e9 ("netlink_delinearize: add missing icmp id/sequence support")
Reported-by: Eric Garver <eric@garver.life>
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 6a6f7747699421eb9d9dbb93e8227c83b765e3d7..71b69f622a7660da6f37157b9d8bfe6d9fae5b82 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1945,6 +1945,7 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
                        struct set *set = expr->right->set;
 
                        if (set_is_anonymous(set->flags) &&
+                           set->init &&
                            !list_empty(&set->init->expressions)) {
                                struct expr *elem;
 

diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing
new file mode 100755 (executable)
index 0000000..f838c3e
--- /dev/null
+++ b/tests/shell/testcases/sets/0065_icmp_postprocessing
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+       chain foo {
+               icmp id 42
+       }
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT insert rule ip x foo index 0 accept