diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-01-10 19:05:35 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-01-12 12:19:55 +0100 |
| commit | 98c51aaac42b6d180f198d3d2f5b3425ab63ad72 (patch) | |
| tree | 8c6aff2499f1fb5a00a7ef5027fbc9bafd7636bd /src/evaluate.c | |
| parent | 955bb6d31c90453e43043346c917646ddc4e5c4e (diff) | |
evaluate: bail out if anonymous concat set defines a non concat expression
Iterate over the element list in the anonymous set to validate that all
expressions are concatenations, otherwise bail out.
ruleset.nft:3:46-53: Error: expression is not a concatenation
ip protocol . th dport vmap { tcp / 22 : accept, tcp . 80 : drop}
^^^^^^^^
This is based on a patch from Florian Westphal.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
| -rw-r--r-- | src/evaluate.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index eb55f6c0..e890585e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -133,6 +133,13 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx, set->init = expr; set->automerge = set->flags & NFT_SET_INTERVAL; + if (set_evaluate(ctx, set) < 0) { + if (set->flags & NFT_SET_MAP) + set->init = NULL; + set_free(set); + return NULL; + } + if (ctx->table != NULL) list_add_tail(&set->list, &ctx->table->sets); else { @@ -145,8 +152,6 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx, list_add_tail(&cmd->list, &ctx->cmd->list); } - set_evaluate(ctx, set); - return set_ref_expr_alloc(&expr->location, set); } @@ -2070,6 +2075,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) mappings = implicit_set_declaration(ctx, "__map%d", key, data, mappings); + if (!mappings) + return -1; if (ectx.len && mappings->set->data->len != ectx.len) BUG("%d vs %d\n", mappings->set->data->len, ectx.len); @@ -2641,6 +2648,9 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) implicit_set_declaration(ctx, "__set%d", expr_get(left), NULL, right); + if (!right) + return -1; + /* fall through */ case EXPR_SET_REF: if (rel->left->etype == EXPR_CT && @@ -3283,6 +3293,8 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) setref = implicit_set_declaration(ctx, stmt->meter.name, expr_get(key), NULL, set); + if (!setref) + return -1; setref->set->desc.size = stmt->meter.size; stmt->meter.set = setref; @@ -4549,6 +4561,8 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt) mappings = implicit_set_declaration(ctx, "__objmap%d", key, NULL, mappings); + if (!mappings) + return -1; mappings->set->objtype = stmt->objref.type; map->mappings = mappings; @@ -4882,6 +4896,21 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) set->flags |= NFT_SET_CONCAT; } + if (set_is_anonymous(set->flags) && set->key->etype == EXPR_CONCAT) { + struct expr *i; + + list_for_each_entry(i, &set->init->expressions, list) { + if ((i->etype == EXPR_SET_ELEM && + i->key->etype != EXPR_CONCAT && + i->key->etype != EXPR_SET_ELEM_CATCHALL) || + (i->etype == EXPR_MAPPING && + i->left->etype == EXPR_SET_ELEM && + i->left->key->etype != EXPR_CONCAT && + i->left->key->etype != EXPR_SET_ELEM_CATCHALL)) + return expr_error(ctx->msgs, i, "expression is not a concatenation"); + } + } + if (set_is_datamap(set->flags)) { if (set->data == NULL) return set_error(ctx, set, "map definition does not " |