nftables/backport-evaluate-fix-segfault-when-adding-elements-to-invalid-set.patch

From 27107b4932b1bd1a39c21e0d7865f3bf220a3857 Mon Sep 17 00:00:00 2001
From: Peter Tirsek <peter@tirsek.com>
Date: Sun, 26 Jun 2022 00:47:07 -0500
Subject: [PATCH] evaluate: fix segfault when adding elements to invalid set

Adding elements to a set or map with an invalid definition causes nft to
segfault. The following nftables.conf triggers the crash:

    flush ruleset
    create table inet filter
    set inet filter foo {}
    add element inet filter foo { foobar }

Simply parsing and checking the config will trigger it:

    $ nft -c -f nftables.conf.crash
    Segmentation fault

The error in the set/map definition is correctly caught and queued, but
because the set is invalid and does not contain a key type, adding to it
causes a NULL pointer dereference of set->key within setelem_evaluate().

I don't think it's necessary to queue another error since the underlying
problem is correctly detected and reported when parsing the definition
of the set. Simply checking the validity of set->key before using it
seems to fix it, causing the error in the definition of the set to be
reported properly. The element type error isn't caught, but that seems
reasonable since the key type is invalid or unknown anyway:

    $ ./nft -c -f ~/nftables.conf.crash
    /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key
    set inet filter foo {}
                        ^

[ Add tests to cover this case --pablo ]

Conflict: remove tests/shell/testcases/sets/errors_0
Reference: https://git.netfilter.org/nftables/commit?id=27107b4932b1bd1a39c21e0d7865f3bf220a3857

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597
Signed-off-by: Peter Tirsek <peter@tirsek.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 8de8351..a7c2722 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3853,6 +3853,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
 		return set_not_found(ctx, &ctx->cmd->handle.set.location,
 				     ctx->cmd->handle.set.name);
 
+	if (set->key == NULL)
+	    return -1;
+
 	ctx->set = set;
 	expr_set_context(&ctx->ectx, set->key->dtype, set->key->len);
 	if (expr_evaluate(ctx, &cmd->expr) < 0)
-- 
2.33.0
fix Community bugs (cherry picked from commit 1258053e29d80addcc11865a921c9bfaa91eb903) 2022-09-03 16:26:50 +08:00			`From 27107b4932b1bd1a39c21e0d7865f3bf220a3857 Mon Sep 17 00:00:00 2001`
			`From: Peter Tirsek <peter@tirsek.com>`
			`Date: Sun, 26 Jun 2022 00:47:07 -0500`
			`Subject: [PATCH] evaluate: fix segfault when adding elements to invalid set`

			`Adding elements to a set or map with an invalid definition causes nft to`
			`segfault. The following nftables.conf triggers the crash:`

			`flush ruleset`
			`create table inet filter`
			`set inet filter foo {}`
			`add element inet filter foo { foobar }`

			`Simply parsing and checking the config will trigger it:`

			`$ nft -c -f nftables.conf.crash`
			`Segmentation fault`

			`The error in the set/map definition is correctly caught and queued, but`
			`because the set is invalid and does not contain a key type, adding to it`
			`causes a NULL pointer dereference of set->key within setelem_evaluate().`

			`I don't think it's necessary to queue another error since the underlying`
			`problem is correctly detected and reported when parsing the definition`
			`of the set. Simply checking the validity of set->key before using it`
			`seems to fix it, causing the error in the definition of the set to be`
			`reported properly. The element type error isn't caught, but that seems`
			`reasonable since the key type is invalid or unknown anyway:`

			`$ ./nft -c -f ~/nftables.conf.crash`
			`/home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key`
			`set inet filter foo {}`
			`^`

			`[ Add tests to cover this case --pablo ]`

			`Conflict: remove tests/shell/testcases/sets/errors_0`
			`Reference: https://git.netfilter.org/nftables/commit?id=27107b4932b1bd1a39c21e0d7865f3bf220a3857`

			`Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597`
			`Signed-off-by: Peter Tirsek <peter@tirsek.com>`
			`Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>`
			`---`
			`src/evaluate.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/src/evaluate.c b/src/evaluate.c`
			`index 8de8351..a7c2722 100644`
			`--- a/src/evaluate.c`
			`+++ b/src/evaluate.c`
			`@@ -3853,6 +3853,9 @@ static int setelem_evaluate(struct eval_ctx ctx, struct cmd cmd)`
			`return set_not_found(ctx, &ctx->cmd->handle.set.location,`
			`ctx->cmd->handle.set.name);`

			`+ if (set->key == NULL)`
			`+ return -1;`
			`+`
			`ctx->set = set;`
			`expr_set_context(&ctx->ectx, set->key->dtype, set->key->len);`
			`if (expr_evaluate(ctx, &cmd->expr) < 0)`
			`--`
			`2.33.0`