git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 2 Apr 2025 22:32:29 +0000 (00:32 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 29 Oct 2025 12:44:11 +0000 (13:44 +0100)
commit	8720428253d2ee35f59a1d7921da6d2468877257
tree	6b38205fa114ef4df7e6c23321dcaa66444cdf61	tree \| snapshot
parent	2c3edb0cc5ab4acc0b34d4d09db91755cef49712	commit \| diff

src: add refcount asserts

_get() functions must not be used when refcnt is 0, as expr_free()
releases expressions on 1 -> 0 transition.

Also, check that a refcount would not overflow from UINT_MAX to 0.
Use INT_MAX to also catch refcount leaks sooner, we don't expect
2**31 get()s on same object.

This helps catching use-after-free refcounting bugs even when nft
is built without ASAN support.

v3: use a macro + BUG to get more info without a coredump.

Signed-off-by: Florian Westphal <fw@strlen.de>

include/rule.h		diff \| blob \| blame \| history
include/utils.h		diff \| blob \| blame \| history
src/expression.c		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history