diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-20 11:06:04 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-20 11:22:13 +0100 |
commit | 588470e00539404fd793fe22718067721f5754be (patch) | |
tree | 41dd7ae44a466abf32075ea106626b2133c63431 | |
parent | 6c04e5ceb95068bb459b07307ecc3629d97a2043 (diff) |
evaluate: don't crash if object map does not refer to a value
Before:
BUG: Value export of 512 bytes would overflownft: src/netlink.c:474: netlink_gen_prefix: Assertion `0' failed.
After:
66: Error: Object mapping data should be a value, not prefix
synproxy name ip saddr map { 192.168.1.0/24 : "v*" }
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | src/evaluate.c | 5 | ||||
-rw-r--r-- | tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert | 6 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 5ddbde42..26f0110f 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2140,6 +2140,11 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr) return expr_error(ctx->msgs, mapping->right, "Value must be a singleton"); + if (set_is_objmap(set->flags) && mapping->right->etype != EXPR_VALUE) + return expr_error(ctx->msgs, mapping->right, + "Object mapping data should be a value, not %s", + expr_name(mapping->right)); + mapping->flags |= EXPR_F_CONSTANT; return 0; } diff --git a/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert new file mode 100644 index 00000000..d880a377 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/objmap_to_prefix_assert @@ -0,0 +1,6 @@ +table t { + chain y { + type filter hook input priority filter; policy accept; + synproxy name ip saddr map { 192.168.1.0/24 : "x*" } + } +} |