From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 4/4] evaluate: reject tunnel section if another one is already present
Date: Thu, 16 Oct 2025 16:59:36 +0200 [thread overview]
Message-ID: <20251016145955.7785-5-fw@strlen.de> (raw)
In-Reply-To: <20251016145955.7785-1-fw@strlen.de>
Included bogon causes a crash because the list head isn't initialised
due to tunnel->type == VXLAN.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/parser_bison.y | 38 ++++++++++++++++---
.../bogons/nft-f/tunnel_in_tunnel_crash | 10 +++++
2 files changed, 42 insertions(+), 6 deletions(-)
create mode 100644 tests/shell/testcases/bogons/nft-f/tunnel_in_tunnel_crash
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4e028d31c165..3c21c7584d01 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -144,6 +144,19 @@ static bool already_set(const void *attr, const struct location *loc,
return true;
}
+static bool tunnel_set_type(const struct location *loc,
+ struct obj *obj, enum tunnel_type type, const char *name,
+ struct parser_state *state)
+{
+ if (obj->tunnel.type) {
+ erec_queue(error(loc, "Cannot create new %s section inside another tunnel", name), state->msgs);
+ return false;
+ }
+
+ obj->tunnel.type = type;
+ return true;
+}
+
static struct expr *ifname_expr_alloc(const struct location *location,
struct list_head *queue,
const char *name)
@@ -4980,11 +4993,15 @@ erspan_block : /* empty */ { $$ = $<obj>-1; }
erspan_block_alloc : /* empty */
{
$$ = $<obj>-1;
+
+ if (!tunnel_set_type(&$$->location, $$, TUNNEL_ERSPAN, "erspan", state))
+ YYERROR;
}
;
erspan_config : HDRVERSION NUM
{
+ assert($<obj>0->tunnel.type == TUNNEL_ERSPAN);
$<obj>0->tunnel.erspan.version = $2;
}
| INDEX NUM
@@ -5017,6 +5034,10 @@ geneve_block : /* empty */ { $$ = $<obj>-1; }
geneve_block_alloc : /* empty */
{
$$ = $<obj>-1;
+ if (!tunnel_set_type(&$$->location, $$, TUNNEL_GENEVE, "geneve", state))
+ YYERROR;
+
+ init_list_head(&$$->tunnel.geneve_opts);
}
;
@@ -5024,6 +5045,8 @@ geneve_config : CLASS NUM OPTTYPE NUM DATA string
{
struct tunnel_geneve *geneve;
+ assert($<obj>0->tunnel.type == TUNNEL_GENEVE);
+
geneve = xmalloc(sizeof(struct tunnel_geneve));
geneve->geneve_class = $2;
geneve->type = $4;
@@ -5034,10 +5057,6 @@ geneve_config : CLASS NUM OPTTYPE NUM DATA string
YYERROR;
}
- if (!$<obj>0->tunnel.type) {
- $<obj>0->tunnel.type = TUNNEL_GENEVE;
- init_list_head(&$<obj>0->tunnel.geneve_opts);
- }
list_add_tail(&geneve->list, &$<obj>0->tunnel.geneve_opts);
free_const($6);
}
@@ -5055,11 +5074,15 @@ vxlan_block : /* empty */ { $$ = $<obj>-1; }
vxlan_block_alloc : /* empty */
{
$$ = $<obj>-1;
+
+ if (!tunnel_set_type(&$$->location, $$, TUNNEL_VXLAN, "vxlan", state))
+ YYERROR;
}
;
vxlan_config : GBP NUM
{
+ assert($<obj>0->tunnel.type == TUNNEL_VXLAN);
$<obj>0->tunnel.vxlan.gbp = $2;
}
;
@@ -5123,13 +5146,16 @@ tunnel_config : ID NUM
}
| ERSPAN erspan_block_alloc '{' erspan_block '}'
{
- $<obj>0->tunnel.type = TUNNEL_ERSPAN;
+ $2->location = @2;
}
| VXLAN vxlan_block_alloc '{' vxlan_block '}'
{
- $<obj>0->tunnel.type = TUNNEL_VXLAN;
+ $2->location = @2;
}
| GENEVE geneve_block_alloc '{' geneve_block '}'
+ {
+ $2->location = @2;
+ }
;
tunnel_block : /* empty */ { $$ = $<obj>-1; }
diff --git a/tests/shell/testcases/bogons/nft-f/tunnel_in_tunnel_crash b/tests/shell/testcases/bogons/nft-f/tunnel_in_tunnel_crash
new file mode 100644
index 000000000000..9f029807f521
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/tunnel_in_tunnel_crash
@@ -0,0 +1,10 @@
+table netdev x {
+ tunnel geneve-t {
+ vxlan {
+ gbp 200
+ }
+ geneve {
+ class 0x1 opt-type 0x1 data "0x12345678"
+ }
+ }
+
--
2.51.0
next prev parent reply other threads:[~2025-10-16 15:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 14:59 [PATCH nft 0/4] nft tunnel mode parser/eval fixes Florian Westphal
2025-10-16 14:59 ` [PATCH nft 1/4] evaluate: tunnel: don't assume src is set Florian Westphal
2025-10-16 23:37 ` Fernando Fernandez Mancera
2025-10-16 14:59 ` [PATCH nft 2/4] src: tunnel src/dst must be a symbolic expression Florian Westphal
2025-10-16 23:39 ` Fernando Fernandez Mancera
2025-10-16 14:59 ` [PATCH nft 3/4] src: parser_bison: prevent multiple ip daddr/saddr definitions Florian Westphal
2025-10-16 23:41 ` Fernando Fernandez Mancera
2025-10-16 14:59 ` Florian Westphal [this message]
2025-10-16 23:44 ` [PATCH nft 4/4] evaluate: reject tunnel section if another one is already present Fernando Fernandez Mancera
2025-10-16 23:46 ` [PATCH nft 0/4] nft tunnel mode parser/eval fixes Fernando Fernandez Mancera
2025-10-17 9:39 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251016145955.7785-5-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).