evaluate: fix expression data corruption

Sometimes nftables will segfault when doing error-unwind of the included afl-generated bogon. The problem is the unconditional write access to expr->set_flags in expr_evaluate_map(): mappings->set_flags |= NFT_SET_MAP; ... but mappings can point to EXPR_VARIABLE (legal), where this will flip a bit in unused, but allocated memory (i.e., has no effect). In case of the bogon, mapping is EXPR_RANGE_SYMBOL, and the store can flip a bit in identifier_range[1], this causes crash when the pointer is freed. We can't use expr->set_flags unconditionally, so rework this to pass set_flags as argument and place all read and write accesses in places where we've made sure we are dealing with EXPR_SET. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2025-03-11 14:07:03 +0100
committer: Florian Westphal <fw@strlen.de> 2025-03-12 08:14:24 +0100
commit: 02d44b4f99175cbbdccc8f5dd413b5e881c9f55b (patch)
tree: 9d6e2e6da477ad316245feca2ffce3d297d18d4d /tests/shell
parent: 3d9237282a3c6791067cec940f713c41ef61ff68 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/tests/shell/testcases/bogons/nft-f/range_expression_corruption b/tests/shell/testcases/bogons/nft-f/range_expression_corruption
new file mode 100644
index 00000000..b77221bd
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/range_expression_corruption
@@ -0,0 +1,2 @@
+aal	tht@nh,32,3 set ctag| oi to ip
+		p sept ct 		l3proto map  q -u dscp |  ma
+\ No newline at end of file
author	Florian Westphal <fw@strlen.de>	2025-03-11 14:07:03 +0100
committer	Florian Westphal <fw@strlen.de>	2025-03-12 08:14:24 +0100
commit	02d44b4f99175cbbdccc8f5dd413b5e881c9f55b (patch)
tree	9d6e2e6da477ad316245feca2ffce3d297d18d4d /tests/shell
parent	3d9237282a3c6791067cec940f713c41ef61ff68 (diff)