diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-03-19 18:02:05 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-20 13:07:39 +0100 |
| commit | 4be0a3f922a2944a941316fad76a717cd46691bd (patch) | |
| tree | cceb7cad3d8ed92d580891b9d411d23fc8077b9d /src | |
| parent | a55d79aa68266c790f3767ba240c3bdee247d511 (diff) | |
flowtable: Make parsing a little more robust
It was surprisingly easy to crash nft with invalid syntax in 'add
flowtable' command. Catch at least three possible ways (illustrated in
provided test case) by making evaluation phase survive so that bison
gets a chance to complain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/evaluate.c | 6 | ||||
| -rw-r--r-- | src/expression.c | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 6ae94b0f..d224f0f3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2838,6 +2838,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) if (ft->hooknum == NF_INET_NUMHOOKS) return chain_error(ctx, ft, "invalid hook %s", ft->hookstr); + if (!ft->dev_expr) + return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)"); + return 0; } @@ -2874,6 +2877,9 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule) static uint32_t str2hooknum(uint32_t family, const char *hook) { + if (!hook) + return NF_INET_NUMHOOKS; + switch (family) { case NFPROTO_IPV4: case NFPROTO_BRIDGE: diff --git a/src/expression.c b/src/expression.c index 5f023d2a..e698b14c 100644 --- a/src/expression.c +++ b/src/expression.c @@ -65,7 +65,7 @@ void expr_free(struct expr *expr) return; if (--expr->refcnt > 0) return; - if (expr->ops->destroy) + if (expr->ops && expr->ops->destroy) expr->ops->destroy(expr); xfree(expr); } |