diff options
| author | Florian Westphal <fw@strlen.de> | 2021-06-30 17:45:18 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2021-06-30 17:56:16 +0200 |
| commit | 6d225d296ec48adefdbd3d003598a5d3c4ee22ff (patch) | |
| tree | 386ed40a964e33ed4d8b78090c45982dcef4e821 | |
| parent | 5fff08b0c940cdd1194b40c602980e73688f7be6 (diff) | |
netlink_delinarize: don't check for set element if set is not populated
0065_icmp_postprocessing: line 13: Segmentation fault $NFT insert rule ip x foo index 1 accept
Since no listing is done, cache isn't populated and 'nft insert' will trip over
set->init == NULL during postprocessing of the existing 'icmp id 42' expression.
Fixes: 9a5574e2d4e9 ("netlink_delinearize: add missing icmp id/sequence support")
Reported-by: Eric Garver <eric@garver.life>
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/netlink_delinearize.c | 1 | ||||
| -rwxr-xr-x | tests/shell/testcases/sets/0065_icmp_postprocessing | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 6a6f7747..71b69f62 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1945,6 +1945,7 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, struct set *set = expr->right->set; if (set_is_anonymous(set->flags) && + set->init && !list_empty(&set->init->expressions)) { struct expr *elem; diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing new file mode 100755 index 00000000..f838c3ef --- /dev/null +++ b/tests/shell/testcases/sets/0065_icmp_postprocessing @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +RULESET="table ip x { + chain foo { + icmp id 42 + } +}" + +$NFT -f - <<< $RULESET + +$NFT insert rule ip x foo index 0 accept |