diff options
| author | Florian Westphal <fw@strlen.de> | 2025-07-21 13:09:55 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-08-13 20:54:15 +0200 |
| commit | d0004ba7bf3e3c404a9e4a948d16157e85c9a544 (patch) | |
| tree | dcf3408c3ccffc3c82fbea7b0435177cad08d578 | |
| parent | bce146622186cd6fc91429541dce5a880008924b (diff) | |
parser_json: reject non-concat expression
commit f4d3e5e2f6595b6628b2aa948ff45ffaec40fb65 upstream.
Before "src: detach set, list and concatenation expression layout":
internal:0:0-0: Error: Concatenation with 0 elements is illegal
After this change, expr->size access triggers assert() failure, add
explicit test for etype to avoid this and error out:
internal:0:0-0: Error: Expected concat element, got symbol.
Fixes: e0d92243be1c ("src: detach set, list and concatenation expression layout")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/parser_json.c | 10 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-j-f/concat_is_not_concat_assert | 39 |
2 files changed, 48 insertions, 1 deletions
diff --git a/src/parser_json.c b/src/parser_json.c index b213478e..f49c2619 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1181,10 +1181,18 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx, static struct expr *json_check_concat_expr(struct json_ctx *ctx, struct expr *e) { + if (e->etype != EXPR_CONCAT) { + json_error(ctx, "Expected concatenation, got %s", expr_name(e)); + goto err_free; + } + if (e->size >= 2) return e; - json_error(ctx, "Concatenation with %d elements is illegal", e->size); + json_error(ctx, "Concatenation with %d elements is illegal", + e->size); + +err_free: expr_free(e); return NULL; } diff --git a/tests/shell/testcases/bogons/nft-j-f/concat_is_not_concat_assert b/tests/shell/testcases/bogons/nft-j-f/concat_is_not_concat_assert new file mode 100644 index 00000000..bdee0351 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/concat_is_not_concat_assert @@ -0,0 +1,39 @@ +{ + "nftables": [ + { + "metainfo": { +"ver": "ION", + "rame": "RAME", + "json_schema_version": 1 + } + }, + { + "table": { "family": "ip", "name": "filter", + "le": 0 + } + }, + { + "set": { + "family": "ip", + "name": "test_set", + "table": "filter", + "type": [ + "iface_index", "ether_addr", "ipv4_addr" + ], + "he": 0, + "flags": "interval", +"elem": [ + { + "elem": { + "val": { + "concat": [ + "10.1.2.3" + ] }, + "comment": "90" +} + } + ] + } +} + ] +} |