datatype: do not assert when value exceeds expected width

Inputs:
ip protocol . th dport { tcp / 22,  }'
or
th dport . ip protocol { tcp / 22,  }'

are not rejected at this time. 'list ruleset' yields:
 ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed.
or
 th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed.

While this should be caught at input too, the print path should be more
robust, e.g. when there are direct nfnetlink users.

After this patch, the print functions fall back to
'integer_type_print' which can handle large numbers too.

Note that the output printed this way cannot be read back by nft;
it will dump something like:

  tcp dport & 18446739675663040512 . ip protocol 0 . 0

but thats better than assert().

v2: same problem exists for service too.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/datatype.c b/src/datatype.c
index 3b19ae8ef52d8d27546f65042fc2cec17c2dda35..099e7580bd6c33b7e49e4a4cf3696978acf3f97f 100644 (file)
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -715,7 +715,8 @@ const struct datatype ip6addr_type = {
 static void inet_protocol_type_print(const struct expr *expr,
                                      struct output_ctx *octx)
 {
-       if (!nft_output_numeric_proto(octx)) {
+       if (!nft_output_numeric_proto(octx) &&
+           mpz_cmp_ui(expr->value, UINT8_MAX) <= 0) {
                char name[NFT_PROTONAME_MAXSIZE];
 
                if (nft_getprotobynumber(mpz_get_uint8(expr->value), name, sizeof(name))) {
@@ -796,7 +797,8 @@ static void inet_service_print(const struct expr *expr, struct output_ctx *octx)
 
 void inet_service_type_print(const struct expr *expr, struct output_ctx *octx)
 {
-       if (nft_output_service(octx)) {
+       if (nft_output_service(octx) &&
+           mpz_cmp_ui(expr->value, UINT16_MAX) <= 0) {
                inet_service_print(expr, octx);
                return;
        }