Hi Florian,

On Wed, Dec 06, 2023 at 02:07:09PM +0100, Florian Westphal wrote:
> 'meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 }' will
> crash.  Reason is that the l2 dependency generated here is errounously
> expanded to a 32bit-one, so the evaluation path won't recognize this
> as a L2 dependency.  Therefore, pctx->stacked_ll_count is 0 and
> __expr_evaluate_payload() crashes with a null deref when
> dereferencing pctx->stacked_ll[0].
> 
> Reset stmt_len in expr_evaluate_relational() to avoid
> this.

See patch attached, I mangled your original patch with this:

    Consolidate stmt_len reset in stmt_evaluate() to avoid this.
    stmt_evaluate_meta() and stmt_evaluate_ct() already resets it, payload
    dependencies also manually reset this before calling stmt_evaluate() to
    evaluate such dependency.

See attachment. The idea is to consolidate all these ctx->stmt_len
resets.