summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2025-03-17 12:56:36 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2025-07-27 20:07:49 +0200
commit1363a48ad440d563cc3862b335d8e7efec2d1a1d (patch)
treeaf071748977cdadc8843680d4fa6fddb81abdceb
parent3bb26189d1b9d0969900e486bbade27b7b9dac12 (diff)
evaluate: move interval flag compat check after set key evaluation
commit 3e50cd6b063d64c2e72b0e32bc36dd5a22f75c06 upstream. Without this, included bogon asserts with: BUG: unhandled key type 13 nft: src/intervals.c:73: setelem_expr_to_range: Assertion `0' failed. ... because we no longer evaluate set->key/data. Move the check to the tail of the function, right before assiging set->existing_set, so that set->key has been evaluated. Fixes: ceab53cee499 ("evaluate: don't allow merging interval set/map with non-interval one") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/evaluate.c6
-rw-r--r--tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert13
2 files changed, 16 insertions, 3 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index b15d6c8d..3b760919 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4804,9 +4804,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
if (existing_flags == new_flags)
set->flags |= NFT_SET_EVAL;
}
-
- if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
- return set_error(ctx, set, "existing %s lacks interval flag", type);
} else {
set_cache_add(set_get(set), table);
}
@@ -4897,6 +4894,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
return 0;
}
+ if (existing_set && set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
+ return set_error(ctx, set, "existing %s lacks interval flag", type);
+
set->existing_set = existing_set;
return 0;
diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
new file mode 100644
index 00000000..56f541a6
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
@@ -0,0 +1,13 @@
+table inet t {
+ map m2 {
+ typeof udp length . @ih,32,32 : verdict
+ elements = {
+ 1-10 . 0xa : drop }
+ }
+
+ map m2 {
+ typeof udp length . @ih,32,32 : verdict
+ flags interval
+ elements = { 20-80 . 0x14 : accept }
+ }
+}