From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 1/3] intervals: BUG on prefix expressions without value
Date: Wed, 13 Dec 2023 18:06:43 +0100 [thread overview]
Message-ID: <20231213170650.13451-2-fw@strlen.de> (raw)
In-Reply-To: <20231213170650.13451-1-fw@strlen.de>
Its possible to end up with prefix expressions that have
a symbolic expression, e.g.:
table t {
set s {
type inet_service
flags interval
elements = { 0-1024, 8080-8082, 10000-40000 }
elements = { 172.16.0.0/16 }
}
set s {
type inet_service
flags interval
elements = { 0-1024, 8080-8082, 10000-40000 }
}
}
Without this change, nft will crash. We end up in setelem_expr_to_range()
with prefix "/16" for the symbolic expression "172.16.0.0".
We than pass invalid mpz_t pointer into libgmp.
This isn't the right fix (see next patch), but instead of blindly assuming
that the attached expression has a gmp value die with at least some info.
Its possible there are more ways than one to feed such
"symbol-with-prefix" down into the interval code, so also add this
assertion.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/intervals.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/intervals.c b/src/intervals.c
index 85de0199c373..6849b221df2c 100644
--- a/src/intervals.c
+++ b/src/intervals.c
@@ -26,6 +26,9 @@ static void setelem_expr_to_range(struct expr *expr)
case EXPR_RANGE:
break;
case EXPR_PREFIX:
+ if (expr->key->prefix->etype != EXPR_VALUE)
+ BUG("Prefix for unexpected type %d", expr->key->prefix->etype);
+
mpz_init(rop);
mpz_bitmask(rop, expr->key->len - expr->key->prefix_len);
if (expr_basetype(expr)->type == TYPE_STRING)
--
2.41.0
next prev parent reply other threads:[~2023-12-13 17:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-13 17:06 [PATCH nft 0/3] src: make set-merging less zealous Florian Westphal
2023-12-13 17:06 ` Florian Westphal [this message]
2023-12-13 17:06 ` [PATCH nft 2/3] src: do not merge a set with a erroneous one Florian Westphal
2023-12-13 17:06 ` [PATCH nft 3/3] evaluate: don't assert if set->data is NULL Florian Westphal
2023-12-16 10:11 ` [PATCH nft 0/3] src: make set-merging less zealous Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231213170650.13451-2-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.