diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-07-07 15:11:35 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-07-07 15:26:17 +0200 |
commit | 46980cddddfd77f2700fcb8234641711b985cd04 (patch) | |
tree | 1172ad84436982d4eefc55e6a8f12f6b10d137b5 | |
parent | 8a6cdfaff058412b3d0efec45541cd7d610aeefa (diff) |
rule: crash when uncollapsing command with unexisting table or set
If ruleset update refers to an unexisting table or set, then
cmd->elem.set is NULL.
Fixes: 498a5f0c219d ("rule: collapse set element commands")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/rule.c | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/sets/errors_0 | 12 |
2 files changed, 15 insertions, 1 deletions
@@ -1453,7 +1453,9 @@ void nft_cmd_uncollapse(struct list_head *cmds) } list_for_each_entry_safe(collapse_cmd, collapse_cmd_next, &cmd->collapse_list, list) { - collapse_cmd->elem.set = set_get(cmd->elem.set); + if (cmd->elem.set) + collapse_cmd->elem.set = set_get(cmd->elem.set); + list_add(&collapse_cmd->list, &cmd->list); } } diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 index f2da43a0..27f65df3 100755 --- a/tests/shell/testcases/sets/errors_0 +++ b/tests/shell/testcases/sets/errors_0 @@ -54,4 +54,16 @@ RULESET="table ip x { chain chain2 {} }" +$NFT -f - <<< $RULESET +if [ $? -eq 0 ] +then + exit 1 +fi + +RULESET="add set inet filter myset { type ipv4_addr; flags interval; auto-merge } +add element inet filter myset { 192.168.0.0/24 } +add element inet filter myset { 192.168.0.2 } +add element inet filter myset { 192.168.1.0/24 } +add element inet filter myset { 192.168.1.100 }" + $NFT -f - <<< $RULESET || exit 0 |