diff options
author | Sergei Trofimovich <slyfox@gentoo.org> | 2019-09-16 08:33:20 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-09-16 09:52:14 +0200 |
commit | 5b37479b42b338d99d938c56d5d752145b0d9331 (patch) | |
tree | 9682c66dd5560a6f07c019327c347854019e31b7 /tests | |
parent | 8a079c67a95cf87f10fe7eff5f96f1f007904288 (diff) |
nftables: don't crash in 'list ruleset' if policy is not set
Minimal reproducer:
```
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
```
The crash happens in `chain_print_declaration()`:
```
if (chain->flags & CHAIN_F_BASECHAIN) {
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
```
Here `chain->policy` is `NULL` (as textual rule does not mention it).
The change is not to print the policy if it's not set
(similar to `chain_evaluate()` handling).
CC: Florian Westphal <fw@strlen.de>
CC: Pablo Neira Ayuso <pablo@netfilter.org>
CC: netfilter-devel@vger.kernel.org
Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/shell/testcases/nft-f/0021list_ruleset_0 | 15 | ||||
-rw-r--r-- | tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft | 5 |
2 files changed, 20 insertions, 0 deletions
diff --git a/tests/shell/testcases/nft-f/0021list_ruleset_0 b/tests/shell/testcases/nft-f/0021list_ruleset_0 new file mode 100755 index 00000000..37729b4f --- /dev/null +++ b/tests/shell/testcases/nft-f/0021list_ruleset_0 @@ -0,0 +1,15 @@ +#!/bin/bash + +# Tests use of variables in jump statements + +set -e + +RULESET="table filter { + chain prerouting { + type filter hook prerouting priority -50 + } +} +list ruleset +" + +exec $NFT -f - <<< "$RULESET" diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft new file mode 100644 index 00000000..b2cd4011 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft @@ -0,0 +1,5 @@ +table ip filter { + chain prerouting { + type filter hook prerouting priority -50; policy accept; + } +} |