From: Florian Westphal <fw@strlen.de>
Date: Sun, 13 Jul 2025 21:59:30 +0000 (+0200)
Subject: evaluate: fix crash with invalid elements in set
X-Git-Tag: v1.1.4~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8cb7cfc2d8c7f2d8dec804ab028883c1d260e717;p=thirdparty%2Fnftables.git

evaluate: fix crash with invalid elements in set

ctx->ectx.key can be cleared, causing a crash:

src/nft --check -f tests/shell/testcases/bogons/nft-f/set_with_bad_elem
AddressSanitizer:DEADLYSIGNAL
    #0 0x7ffb57098c0d in elem_key_compatible src/evaluate.c:1934
    #1 0x7ffb5709926d in expr_evaluate_set_elem src/evaluate.c:1979
    #2 0x7ffb570a540f in expr_evaluate src/evaluate.c:3159
    #3 0x7ffb57095f33 in list_member_evaluate src/evaluate.c:1652
    #4 0x7ffb57099f92 in expr_evaluate_set src/evaluate.c:2066
    #5 0x7ffb570a53f7 in expr_evaluate src/evaluate.c:3157
    ..
AddressSanitizer: SEGV src/evaluate.c:1934 in elem_key_compatible

After:
set_with_bad_elem:4:39-46: Error: Element mismatches set definition, expected IPv4 address, not 'integer'
  elements = { 1.2.3.4, tcp << 8 }
                        ^^^^^^^^

Use ctx->set->key instead.

Fixes: 7f4d7fef31bd ("evaluate: check element key vs. set definition")
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index 9c905908..f7e97ef7 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1976,11 +1976,11 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr)
 		}
 	}
 
-	if (ctx->set && !elem_key_compatible(ctx->ectx.key, elem->key))
+	if (ctx->set && !elem_key_compatible(ctx->set->key, elem->key))
 		return expr_error(ctx->msgs, elem,
 				  "Element mismatches %s definition, expected %s, not '%s'",
 				  set_is_map(ctx->set->flags) ? "map" : "set",
-				  ctx->ectx.key->dtype->desc, elem->key->dtype->desc);
+				  ctx->set->key->dtype->desc, elem->key->dtype->desc);
 
 	datatype_set(elem, elem->key->dtype);
 	elem->len   = elem->key->len;
diff --git a/tests/shell/testcases/bogons/nft-f/set_with_bad_elem b/tests/shell/testcases/bogons/nft-f/set_with_bad_elem
new file mode 100644
index 00000000..626ad080
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/set_with_bad_elem
@@ -0,0 +1,6 @@
+table t {
+        set y {
+                typeof ip daddr
+                elements = { 1.2.3.4, tcp << 8 }
+        }
+}