packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nftables/backport-evaluate-fix-segfault-when-adding-elements-to-invalid-set.patch
xinghe 2a3e281bef fix Community bugs 
(cherry picked from commit 1258053e29d80addcc11865a921c9bfaa91eb903)
2022-09-05 16:09:33 +08:00

64 lines
2.3 KiB
Diff
Raw Blame History

From 27107b4932b1bd1a39c21e0d7865f3bf220a3857 Mon Sep 17 00:00:00 2001
From: Peter Tirsek <peter@tirsek.com>
Date: Sun, 26 Jun 2022 00:47:07 -0500
Subject: [PATCH] evaluate: fix segfault when adding elements to invalid set
Adding elements to a set or map with an invalid definition causes nft to
segfault. The following nftables.conf triggers the crash:
flush ruleset
create table inet filter
set inet filter foo {}
add element inet filter foo { foobar }
Simply parsing and checking the config will trigger it:
$ nft -c -f nftables.conf.crash
Segmentation fault
The error in the set/map definition is correctly caught and queued, but
because the set is invalid and does not contain a key type, adding to it
causes a NULL pointer dereference of set->key within setelem_evaluate().
I don't think it's necessary to queue another error since the underlying
problem is correctly detected and reported when parsing the definition
of the set. Simply checking the validity of set->key before using it
seems to fix it, causing the error in the definition of the set to be
reported properly. The element type error isn't caught, but that seems
reasonable since the key type is invalid or unknown anyway:
$ ./nft -c -f ~/nftables.conf.crash
/home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key
set inet filter foo {}
^
[ Add tests to cover this case --pablo ]
Conflict: remove tests/shell/testcases/sets/errors_0
Reference: https://git.netfilter.org/nftables/commit?id=27107b4932b1bd1a39c21e0d7865f3bf220a3857
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597
Signed-off-by: Peter Tirsek <peter@tirsek.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 8de8351..a7c2722 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3853,6 +3853,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
return set_not_found(ctx, &ctx->cmd->handle.set.location,
ctx->cmd->handle.set.name);
+ if (set->key == NULL)
+ return -1;
+
ctx->set = set;
expr_set_context(&ctx->ectx, set->key->dtype, set->key->len);
if (expr_evaluate(ctx, &cmd->expr) < 0)
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink