diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-17 17:20:17 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-23 19:00:02 +0200 |
| commit | 64ebb03a8c87af4f664f8b7e190dee4cbbefb962 (patch) | |
| tree | 387ec864060359d8791bdf11cc0cdfeaa48e1f01 | |
| parent | 59e3a59221fb81c289a0868a85140dd452fb1c30 (diff) | |
optimize: do not compare relational expression rhs when collecting statements
When building the statement matrix, do not compare expression right hand
side, otherwise bogus mismatches might occur.
The fully compared flag is set on when comparing rules to look for
possible mergers.
Fixes: 3f36cc6c3dcd ("optimize: do not merge unsupported statement expressions")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/optimize.c | 39 |
1 files changed, 21 insertions, 18 deletions
diff --git a/src/optimize.c b/src/optimize.c index 3a3049d4..a2a4e587 100644 --- a/src/optimize.c +++ b/src/optimize.c @@ -105,7 +105,8 @@ static bool stmt_expr_supported(const struct expr *expr) return false; } -static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b) +static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b, + bool fully_compare) { struct expr *expr_a, *expr_b; @@ -117,9 +118,11 @@ static bool __stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b) expr_a = stmt_a->expr; expr_b = stmt_b->expr; - if (!stmt_expr_supported(expr_a) || - !stmt_expr_supported(expr_b)) - return false; + if (fully_compare) { + if (!stmt_expr_supported(expr_a) || + !stmt_expr_supported(expr_b)) + return false; + } return __expr_cmp(expr_a->left, expr_b->left); case STMT_COUNTER: @@ -237,24 +240,12 @@ static bool stmt_verdict_eq(const struct stmt *stmt_a, const struct stmt *stmt_b return false; } -static bool stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b) -{ - if (!stmt_a && !stmt_b) - return true; - else if (!stmt_a) - return false; - else if (!stmt_b) - return false; - - return __stmt_type_eq(stmt_a, stmt_b); -} - static bool stmt_type_find(struct optimize_ctx *ctx, const struct stmt *stmt) { uint32_t i; for (i = 0; i < ctx->num_stmts; i++) { - if (__stmt_type_eq(stmt, ctx->stmt[i])) + if (__stmt_type_eq(stmt, ctx->stmt[i], false)) return true; } @@ -321,7 +312,7 @@ static int cmd_stmt_find_in_stmt_matrix(struct optimize_ctx *ctx, struct stmt *s uint32_t i; for (i = 0; i < ctx->num_stmts; i++) { - if (__stmt_type_eq(stmt, ctx->stmt[i])) + if (__stmt_type_eq(stmt, ctx->stmt[i], false)) return i; } /* should not ever happen. */ @@ -886,6 +877,18 @@ static void merge_rules(const struct optimize_ctx *ctx, fprintf(octx->error_fp, "\n"); } +static bool stmt_type_eq(const struct stmt *stmt_a, const struct stmt *stmt_b) +{ + if (!stmt_a && !stmt_b) + return true; + else if (!stmt_a) + return false; + else if (!stmt_b) + return false; + + return __stmt_type_eq(stmt_a, stmt_b, true); +} + static bool rules_eq(const struct optimize_ctx *ctx, int i, int j) { uint32_t k; |