summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/sets/errors_0
Commit message (Collapse)AuthorAgeFilesLines
* rule: crash when uncollapsing command with unexisting table or setPablo Neira Ayuso2022-07-071-0/+12
| | | | | | | | If ruleset update refers to an unexisting table or set, then cmd->elem.set is NULL. Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: report missing interval flag when using prefix/range in concatenationPablo Neira Ayuso2022-07-071-0/+16
| | | | | | | | If set declaration is missing the interval flag, and user specifies an element with either prefix or range, then bail out. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1592 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix segfault when adding elements to invalid setPeter Tirsek2022-06-271-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding elements to a set or map with an invalid definition causes nft to segfault. The following nftables.conf triggers the crash: flush ruleset create table inet filter set inet filter foo {} add element inet filter foo { foobar } Simply parsing and checking the config will trigger it: $ nft -c -f nftables.conf.crash Segmentation fault The error in the set/map definition is correctly caught and queued, but because the set is invalid and does not contain a key type, adding to it causes a NULL pointer dereference of set->key within setelem_evaluate(). I don't think it's necessary to queue another error since the underlying problem is correctly detected and reported when parsing the definition of the set. Simply checking the validity of set->key before using it seems to fix it, causing the error in the definition of the set to be reported properly. The element type error isn't caught, but that seems reasonable since the key type is invalid or unknown anyway: $ ./nft -c -f ~/nftables.conf.crash /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key set inet filter foo {} ^ [ Add tests to cover this case --pablo ] Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597 Signed-off-by: Peter Tirsek <peter@tirsek.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: check for EXPR_F_REMOVE in case of element mismatchPablo Neira Ayuso2022-06-231-2/+18
| | | | | | | | If auto-merge is disable and element to be deleted finds no exact matching, then bail out. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: fix crash when trying to remove element in empty setPablo Neira Ayuso2022-06-231-0/+14
The set deletion routine expects an initialized set, otherwise it crashes. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>