From: Florian Westphal Date: Wed, 30 Jun 2021 15:45:18 +0000 (+0200) Subject: netlink_delinarize: don't check for set element if set is not populated X-Git-Tag: v1.0.0~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d225d296ec48adefdbd3d003598a5d3c4ee22ff;p=thirdparty%2Fnftables.git netlink_delinarize: don't check for set element if set is not populated 0065_icmp_postprocessing: line 13: Segmentation fault $NFT insert rule ip x foo index 1 accept Since no listing is done, cache isn't populated and 'nft insert' will trip over set->init == NULL during postprocessing of the existing 'icmp id 42' expression. Fixes: 9a5574e2d4e9 ("netlink_delinearize: add missing icmp id/sequence support") Reported-by: Eric Garver Reported-by: Phil Sutter Signed-off-by: Florian Westphal --- diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 6a6f7747..71b69f62 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1945,6 +1945,7 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, struct set *set = expr->right->set; if (set_is_anonymous(set->flags) && + set->init && !list_empty(&set->init->expressions)) { struct expr *elem; diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing new file mode 100755 index 00000000..f838c3ef --- /dev/null +++ b/tests/shell/testcases/sets/0065_icmp_postprocessing @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain foo { + icmp id 42 + } +}" + +$NFT -f - <<< $RULESET + +$NFT insert rule ip x foo index 0 accept