From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 18 Nov 2024 11:44:06 +0000 (+0100)
Subject: optimize: compare expression length
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=0e892ef0c47a242d10afcb1dd36d10132ffa150c;p=thirdparty%2Fnftables.git

optimize: compare expression length

commit bc0311378285d41850e3508df905d75959ba4239 upstream.

do not merge raw payload expressions with different length.

Other expression rely on key comparison which is assumed to have the
same length already.

Fixes: 60dcc01d6351 ("optimize: add __expr_cmp()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/optimize.c b/src/optimize.c
index dd7385ba..8fc2b901 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -38,6 +38,8 @@ static bool __expr_cmp(const struct expr *expr_a, const struct expr *expr_b)
 {
 	if (expr_a->etype != expr_b->etype)
 		return false;
+	if (expr_a->len != expr_b->len)
+		return false;
 
 	switch (expr_a->etype) {
 	case EXPR_PAYLOAD:
diff --git a/tests/shell/testcases/optimizations/nomerge_raw_payload b/tests/shell/testcases/optimizations/nomerge_raw_payload
new file mode 100755
index 00000000..bb8678ac
--- /dev/null
+++ b/tests/shell/testcases/optimizations/nomerge_raw_payload
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+        chain y {
+                type filter hook prerouting priority raw; policy accept;
+                @th,160,32 0x02736c00 drop comment \"sl\"
+                @th,160,112 0x870697a7a6173656f03636f6d00 drop comment \"pizzaseo.com\"
+        }
+}"
+
+$NFT -o -f - <<< $RULESET