From 986dea8a4a9d612a63508f628d342f70146ac6d0 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Gonzalez Date: Fri, 26 May 2017 13:00:21 +0200 Subject: evaluate: avoid reference to multiple src data in statements which set values Prevent this assert: % nft [..] tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted We can't use a set here because we will not known which value to use. With this patch, a proper error message is reported to users: % nft add rule t c tcp dport set {1, 2, 3, 4, 5} :1:28-42: Error: you cannot use a set here, unknown value to use add rule t c tcp dport set {1, 2, 3, 4, 5} ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ % nft add rule t c tcp dport set @s :1:28-29: Error: you cannot reference a set here, unknown value to use add rule t c tcp dport set @s ~~~~~~~~~~~~~~^^ This error is reported to all statements which set values. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'src/evaluate.c') diff --git a/src/evaluate.c b/src/evaluate.c index 27cee989..4ca14842 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1759,6 +1759,21 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, "datatype mismatch: expected %s, " "expression has type %s", dtype->desc, (*expr)->dtype->desc); + + /* we are setting a value, we can't use a set */ + switch ((*expr)->ops->type) { + case EXPR_SET: + return stmt_binary_error(ctx, *expr, stmt, + "you cannot use a set here, unknown " + "value to use"); + case EXPR_SET_REF: + return stmt_binary_error(ctx, *expr, stmt, + "you cannot reference a set here, " + "unknown value to use"); + default: + break; + } + return 0; } -- cgit v1.2.3