From: Florian Westphal Date: Thu, 21 May 2026 14:18:55 +0000 (+0200) Subject: parser_json: fix map/set type confusion crash in map statement parser X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=628701e796ab9a4da5541cf77fa809c2ce8e7720;p=thirdparty%2Fnftables.git parser_json: fix map/set type confusion crash in map statement parser Quoting Alessandro Gario: Anthropic is conducting research into the use of large language models for automated vulnerability discovery in open source software. As part of that work, Anthropic used Claude to scan a set of widely used open source projects for security issues. Anthropic then engaged Trail of Bits to independently triage, manually validate, and develop patches for the findings. [..] json_parse_map_stmt() in src/parser_json.c:2584 passes &stmt->set.stmt_list to json_parse_set_stmt_list(), but the statement object is a map_stmt. The function reads as a copy/edit of json_parse_set_stmt() that forgot to retarget the list-head pointer. Reported-by: Alessandro Gario Fixes: 27a2da23d508 ("netlink_linearize: skip set element expression in map statement key") Signed-off-by: Florian Westphal --- diff --git a/src/parser_json.c b/src/parser_json.c index 2f70b987..f04772a0 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -2581,7 +2581,7 @@ static struct stmt *json_parse_map_stmt(struct json_ctx *ctx, stmt->map.set = expr2; if (!json_unpack(value, "{s:o}", "stmt", &stmt_json) && - json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json) < 0) { + json_parse_set_stmt_list(ctx, &stmt->map.stmt_list, stmt_json) < 0) { stmt_free(stmt); return NULL; }