diff options
| author | Sergei Trofimovich <slyfox@gentoo.org> | 2019-09-16 08:33:20 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-09-16 09:52:14 +0200 |
| commit | 5b37479b42b338d99d938c56d5d752145b0d9331 (patch) | |
| tree | 9682c66dd5560a6f07c019327c347854019e31b7 | |
| parent | 8a079c67a95cf87f10fe7eff5f96f1f007904288 (diff) | |
nftables: don't crash in 'list ruleset' if policy is not set
Minimal reproducer:
```
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
```
The crash happens in `chain_print_declaration()`:
```
if (chain->flags & CHAIN_F_BASECHAIN) {
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
```
Here `chain->policy` is `NULL` (as textual rule does not mention it).
The change is not to print the policy if it's not set
(similar to `chain_evaluate()` handling).
CC: Florian Westphal <fw@strlen.de>
CC: Pablo Neira Ayuso <pablo@netfilter.org>
CC: netfilter-devel@vger.kernel.org
Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/rule.c | 14 | ||||
| -rwxr-xr-x | tests/shell/testcases/nft-f/0021list_ruleset_0 | 15 | ||||
| -rw-r--r-- | tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft | 5 |
3 files changed, 29 insertions, 5 deletions
@@ -1107,17 +1107,21 @@ static void chain_print_declaration(const struct chain *chain, nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id); nft_print(octx, "\n"); if (chain->flags & CHAIN_F_BASECHAIN) { - mpz_export_data(&policy, chain->policy->value, - BYTEORDER_HOST_ENDIAN, sizeof(int)); nft_print(octx, "\t\ttype %s hook %s", chain->type, hooknum2str(chain->handle.family, chain->hooknum)); if (chain->dev != NULL) nft_print(octx, " device \"%s\"", chain->dev); - nft_print(octx, " priority %s; policy %s;\n", + nft_print(octx, " priority %s;", prio2str(octx, priobuf, sizeof(priobuf), chain->handle.family, chain->hooknum, - chain->priority.expr), - chain_policy2str(policy)); + chain->priority.expr)); + if (chain->policy) { + mpz_export_data(&policy, chain->policy->value, + BYTEORDER_HOST_ENDIAN, sizeof(int)); + nft_print(octx, " policy %s;", + chain_policy2str(policy)); + } + nft_print(octx, "\n"); } } diff --git a/tests/shell/testcases/nft-f/0021list_ruleset_0 b/tests/shell/testcases/nft-f/0021list_ruleset_0 new file mode 100755 index 00000000..37729b4f --- /dev/null +++ b/tests/shell/testcases/nft-f/0021list_ruleset_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET="table filter { + chain prerouting { + type filter hook prerouting priority -50 + } +} +list ruleset +" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft new file mode 100644 index 00000000..b2cd4011 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft @@ -0,0 +1,5 @@ +table ip filter { + chain prerouting { + type filter hook prerouting priority -50; policy accept; + } +} |