diff options
| author | Florian Westphal <fw@strlen.de> | 2025-04-02 07:18:18 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-04-02 11:18:21 +0200 |
| commit | 713592c6008a8c589a00d3d3d2e49709ff2de62c (patch) | |
| tree | 588b358fbb009f14ea7378e338003219e86e062e | |
| parent | 9b7346d1eac2eb90a2baf589affafec5b1a033b6 (diff) | |
The bison parser enforces this implicitly by grammar rules.
Because subkeys have to be conatenated via ".", notation, e.g.
"mark . ip saddr", all concatenation expressions always consist of at
least two elements.
But this doesn't apply to the json frontend which just uses an array:
it can be empty or only contain one element.
The included reproducer makes the eval stage set the "concatenation" flag
on the interval set. This prevents the needed conversion code to turn the
element values into ranges from getting run.
The reproducer asserts with:
nft: src/intervals.c:786: setelem_to_interval: Assertion `key->etype == EXPR_RANGE_VALUE' failed.
Convert the assertion to BUG() so we can see what element type got passed
to the set interval code in case we have further issues in this area.
Reject 0-or-1-element concatenations from the json parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/intervals.c | 4 | ||||
| -rw-r--r-- | src/parser_json.c | 20 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert | 26 |
3 files changed, 41 insertions, 9 deletions
diff --git a/src/intervals.c b/src/intervals.c index 71ad210b..1ab443bc 100644 --- a/src/intervals.c +++ b/src/intervals.c @@ -783,7 +783,9 @@ int setelem_to_interval(const struct set *set, struct expr *elem, next_key = NULL; } - assert(key->etype == EXPR_RANGE_VALUE); + if (key->etype != EXPR_RANGE_VALUE) + BUG("key must be RANGE_VALUE, not %s\n", expr_name(key)); + assert(!next_key || next_key->etype == EXPR_RANGE_VALUE); /* skip end element for adjacents intervals in anonymous sets. */ diff --git a/src/parser_json.c b/src/parser_json.c index 94d09212..724cba88 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1251,6 +1251,16 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx, return binop_expr_alloc(int_loc, thisop, left, right); } +static struct expr *json_check_concat_expr(struct json_ctx *ctx, struct expr *e) +{ + if (e->size >= 2) + return e; + + json_error(ctx, "Concatenation with %d elements is illegal", e->size); + expr_free(e); + return NULL; +} + static struct expr *json_parse_concat_expr(struct json_ctx *ctx, const char *type, json_t *root) { @@ -1284,7 +1294,7 @@ static struct expr *json_parse_concat_expr(struct json_ctx *ctx, } compound_expr_add(expr, tmp); } - return expr; + return expr ? json_check_concat_expr(ctx, expr) : NULL; } static struct expr *json_parse_prefix_expr(struct json_ctx *ctx, @@ -1748,13 +1758,7 @@ static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root) compound_expr_add(expr, i); } - if (list_empty(&expr->expressions)) { - json_error(ctx, "Empty concatenation"); - expr_free(expr); - return NULL; - } - - return expr; + return json_check_concat_expr(ctx, expr); } else if (json_is_object(root)) { const char *key; json_t *val; diff --git a/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert b/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert new file mode 100644 index 00000000..c99a2668 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/set_with_single_value_concat_assert @@ -0,0 +1,26 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "nftables", "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "t", + "type": [ "ifname" ], + "flags": [ "interval" ], + "elem": [ [] ] + } + } + ] +} |