parser_json: fix map/set type confusion crash in map statement parser

Quoting Alessandro Gario:
  Anthropic is conducting research into the use of large language models
  for automated vulnerability discovery in open source software. As part
  of that work, Anthropic used Claude to scan a set of widely used open
  source projects for security issues. Anthropic then engaged Trail of
  Bits to independently triage, manually validate, and develop patches
  for the findings. [..]

  json_parse_map_stmt() in src/parser_json.c:2584 passes
  &stmt->set.stmt_list to json_parse_set_stmt_list(), but the
  statement object is a map_stmt. The function reads as a copy/edit of
  json_parse_set_stmt() that forgot to retarget the list-head pointer.

Reported-by: Alessandro Gario <alessandro.gario@trailofbits.com>
Fixes: 27a2da23d508 ("netlink_linearize: skip set element expression in map statement key")
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/parser_json.c b/src/parser_json.c
index 2f70b9877c6ed782bea84136d6f17be5372437b5..f04772a022a0b6061e625f6bbea776db5e850a50 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2581,7 +2581,7 @@ static struct stmt *json_parse_map_stmt(struct json_ctx *ctx,
        stmt->map.set = expr2;
 
        if (!json_unpack(value, "{s:o}", "stmt", &stmt_json) &&
-           json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json) < 0) {
+           json_parse_set_stmt_list(ctx, &stmt->map.stmt_list, stmt_json) < 0) {
                stmt_free(stmt);
                return NULL;
        }