optimize: incorrect logic in verdict comparison

Keep inspecting rule verdicts before assuming they are equal. Update existing test to catch this bug. Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2022-05-03 11:30:57 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2022-05-03 18:26:38 +0200
commit: c8b350392e23c3d33bdc65e6fed49bded672c181 (patch)
tree: 0caa45199de27a236a24868dad8cb8685fc2aa19 /src
parent: fc4da14128e33d87fa24c019ec8c3a69548bf466 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/src/optimize.c b/src/optimize.c
index 4ad25fab..6d6a6d65 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -622,12 +622,14 @@ static bool stmt_verdict_cmp(const struct optimize_ctx *ctx,
 		stmt_a = ctx->stmt_matrix[i][k];
 		stmt_b = ctx->stmt_matrix[i + 1][k];
 		if (!stmt_a && !stmt_b)
-			return true;
-		if (stmt_verdict_eq(stmt_a, stmt_b))
-			return true;
+			continue;
+		if (!stmt_a || !stmt_b)
+			return false;
+		if (!stmt_verdict_eq(stmt_a, stmt_b))
+			return false;
 	}
 
-	return false;
+	return true;
 }
 
 static void rule_optimize_print(struct output_ctx *octx,
author	Pablo Neira Ayuso <pablo@netfilter.org>	2022-05-03 11:30:57 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-05-03 18:26:38 +0200
commit	c8b350392e23c3d33bdc65e6fed49bded672c181 (patch)
tree	0caa45199de27a236a24868dad8cb8685fc2aa19 /src
parent	fc4da14128e33d87fa24c019ec8c3a69548bf466 (diff)