diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-31 14:43:34 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-04-02 07:11:40 +0200 |
| commit | 9b7346d1eac2eb90a2baf589affafec5b1a033b6 (patch) | |
| tree | 5d001e4bf144b82136dea9838477ed337285a29d | |
| parent | d4bcce5abb05e34de594d24313379391fb9f2c6a (diff) | |
evaluate: fix crash when generating reject statement error
After patch, this gets rejected with:
internal:0:0-0: Error: conflicting protocols specified: ip vs ip6
Without patch, we crash with a NULL dereference: we cannot use
reject.expr->location unconditionally.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/evaluate.c | 16 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash | 32 |
2 files changed, 46 insertions, 2 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 84c13169..f73edc91 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3799,6 +3799,18 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt) return 0; } +static int stmt_reject_error(struct eval_ctx *ctx, + const struct stmt *stmt, + const char *msg) +{ + struct expr *e = stmt->reject.expr; + + if (e) + return stmt_binary_error(ctx, e, stmt, "%s", msg); + + return stmt_error(ctx, stmt, "%s", msg); +} + static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt) { struct proto_ctx *pctx = eval_proto_ctx(ctx); @@ -3814,12 +3826,12 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt) return -1; break; case NFT_REJECT_ICMPX_UNREACH: - return stmt_binary_error(ctx, stmt->reject.expr, stmt, + return stmt_reject_error(ctx, stmt, "abstracted ICMP unreachable not supported"); case NFT_REJECT_ICMP_UNREACH: if (stmt->reject.family == pctx->family) break; - return stmt_binary_error(ctx, stmt->reject.expr, stmt, + return stmt_reject_error(ctx, stmt, "conflicting protocols specified: ip vs ip6"); } break; diff --git a/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash b/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash new file mode 100644 index 00000000..04c01aa7 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/reject_stmt_with_no_expression_crash @@ -0,0 +1,32 @@ +{ + "nftables": [ + { + "table": { "family": "ip", "name": "x", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "x", + "name": "c", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "x", + "chain": "c", + "expr": [ + { + "reject": { + "type": "icmpv6", + "exprlimit": "port-unreachable" + } + } + ] + } + } + ] +} |