git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 2 Apr 2025 05:18:18 +0000 (07:18 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 2 Apr 2025 09:18:21 +0000 (11:18 +0200)
commit	713592c6008a8c589a00d3d3d2e49709ff2de62c
tree	588b358fbb009f14ea7378e338003219e86e062e	tree
parent	9b7346d1eac2eb90a2baf589affafec5b1a033b6	commit \| diff

parser_json: only allow concatenations with 2 or more expressions

The bison parser enforces this implicitly by grammar rules.
Because subkeys have to be conatenated via ".", notation, e.g.
"mark . ip saddr", all concatenation expressions always consist of at
least two elements.

But this doesn't apply to the json frontend which just uses an array:
it can be empty or only contain one element.

The included reproducer makes the eval stage set the "concatenation" flag
on the interval set. This prevents the needed conversion code to turn the
element values into ranges from getting run.

The reproducer asserts with:
nft: src/intervals.c:786: setelem_to_interval: Assertion `key->etype == EXPR_RANGE_VALUE' failed.

Convert the assertion to BUG() so we can see what element type got passed
to the set interval code in case we have further issues in this area.

Reject 0-or-1-element concatenations from the json parser.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/intervals.c		diff \| blob \| blame \| history
src/parser_json.c		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert	[new file with mode: 0644]	blob