netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nft] evaluate: don't crash if range has same start and end interval
@ 2025-03-10  7:29 Florian Westphal
  2025-03-10  9:49 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2025-03-10  7:29 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

In this case, evaluation step replaces the range expression with a
single value and we'd crash as range->left/right contain garbage
values.

Simply replace the input expression with the evaluation result.

Also add a test case modeled on the afl reproducer.

Fixes: fe6cc0ad29cd ("evaluate: consolidate evaluation of symbol range expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/evaluate.c                                |  5 +++
 .../dumps/range_with_same_start_end.json-nft  | 35 +++++++++++++++++++
 .../sets/dumps/range_with_same_start_end.nft  |  7 ++++
 .../testcases/sets/range_with_same_start_end  | 13 +++++++
 4 files changed, 60 insertions(+)
 create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
 create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
 create mode 100755 tests/shell/testcases/sets/range_with_same_start_end

diff --git a/src/evaluate.c b/src/evaluate.c
index e27d08ce7ef8..722c11a23c2d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2351,6 +2351,10 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
 		expr_free(range);
 		return -1;
 	}
+
+	if (range->etype != EXPR_RANGE)
+		goto out_done;
+
 	left = range->left;
 	right = range->right;
 
@@ -2371,6 +2375,7 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
 		return 0;
 	}
 
+out_done:
 	expr_free(expr);
 	*exprp = range;
 
diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
new file mode 100644
index 000000000000..c4682475917e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
@@ -0,0 +1,35 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "t",
+        "handle": 0
+      }
+    },
+    {
+      "set": {
+        "family": "ip",
+        "name": "X",
+        "table": "t",
+        "type": "inet_service",
+        "handle": 0,
+        "flags": [
+          "interval"
+        ],
+        "elem": [
+          10,
+          30,
+          35
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
new file mode 100644
index 000000000000..78979e9e0d5e
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set X {
+		type inet_service
+		flags interval
+		elements = { 10, 30, 35 }
+	}
+}
diff --git a/tests/shell/testcases/sets/range_with_same_start_end b/tests/shell/testcases/sets/range_with_same_start_end
new file mode 100755
index 000000000000..127f0921f0de
--- /dev/null
+++ b/tests/shell/testcases/sets/range_with_same_start_end
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f - <<EOF
+table ip t {
+	set X {
+		type inet_service
+		flags interval
+		elements = { 10, 30-30, 30, 35 }
+	}
+}
+EOF
-- 
2.45.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH nft] evaluate: don't crash if range has same start and end interval
  2025-03-10  7:29 [PATCH nft] evaluate: don't crash if range has same start and end interval Florian Westphal
@ 2025-03-10  9:49 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-10  9:49 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Mon, Mar 10, 2025 at 08:29:37AM +0100, Florian Westphal wrote:
> In this case, evaluation step replaces the range expression with a
> single value and we'd crash as range->left/right contain garbage
> values.
> 
> Simply replace the input expression with the evaluation result.
> 
> Also add a test case modeled on the afl reproducer.
> 
> Fixes: fe6cc0ad29cd ("evaluate: consolidate evaluation of symbol range expression")
> Signed-off-by: Florian Westphal <fw@strlen.de>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks for fixing this silly bug.

> ---
>  src/evaluate.c                                |  5 +++
>  .../dumps/range_with_same_start_end.json-nft  | 35 +++++++++++++++++++
>  .../sets/dumps/range_with_same_start_end.nft  |  7 ++++
>  .../testcases/sets/range_with_same_start_end  | 13 +++++++
>  4 files changed, 60 insertions(+)
>  create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
>  create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
>  create mode 100755 tests/shell/testcases/sets/range_with_same_start_end
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index e27d08ce7ef8..722c11a23c2d 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -2351,6 +2351,10 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
>  		expr_free(range);
>  		return -1;
>  	}
> +
> +	if (range->etype != EXPR_RANGE)
> +		goto out_done;
> +
>  	left = range->left;
>  	right = range->right;
>  
> @@ -2371,6 +2375,7 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
>  		return 0;
>  	}
>  
> +out_done:
>  	expr_free(expr);
>  	*exprp = range;
>  
> diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
> new file mode 100644
> index 000000000000..c4682475917e
> --- /dev/null
> +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
> @@ -0,0 +1,35 @@
> +{
> +  "nftables": [
> +    {
> +      "metainfo": {
> +        "version": "VERSION",
> +        "release_name": "RELEASE_NAME",
> +        "json_schema_version": 1
> +      }
> +    },
> +    {
> +      "table": {
> +        "family": "ip",
> +        "name": "t",
> +        "handle": 0
> +      }
> +    },
> +    {
> +      "set": {
> +        "family": "ip",
> +        "name": "X",
> +        "table": "t",
> +        "type": "inet_service",
> +        "handle": 0,
> +        "flags": [
> +          "interval"
> +        ],
> +        "elem": [
> +          10,
> +          30,
> +          35
> +        ]
> +      }
> +    }
> +  ]
> +}
> diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
> new file mode 100644
> index 000000000000..78979e9e0d5e
> --- /dev/null
> +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
> @@ -0,0 +1,7 @@
> +table ip t {
> +	set X {
> +		type inet_service
> +		flags interval
> +		elements = { 10, 30, 35 }
> +	}
> +}
> diff --git a/tests/shell/testcases/sets/range_with_same_start_end b/tests/shell/testcases/sets/range_with_same_start_end
> new file mode 100755
> index 000000000000..127f0921f0de
> --- /dev/null
> +++ b/tests/shell/testcases/sets/range_with_same_start_end
> @@ -0,0 +1,13 @@
> +#!/bin/bash
> +
> +set -e
> +
> +$NFT -f - <<EOF
> +table ip t {
> +	set X {
> +		type inet_service
> +		flags interval
> +		elements = { 10, 30-30, 30, 35 }
> +	}
> +}
> +EOF
> -- 
> 2.45.3
> 
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-03-10  9:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-10  7:29 [PATCH nft] evaluate: don't crash if range has same start and end interval Florian Westphal
2025-03-10  9:49 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).