summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/evaluate.c6
-rw-r--r--src/expression.c2
-rwxr-xr-xtests/shell/testcases/flowtable/0006segfault_014
3 files changed, 21 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 6ae94b0f..d224f0f3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2838,6 +2838,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
if (ft->hooknum == NF_INET_NUMHOOKS)
return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
+ if (!ft->dev_expr)
+ return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+
return 0;
}
@@ -2874,6 +2877,9 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
static uint32_t str2hooknum(uint32_t family, const char *hook)
{
+ if (!hook)
+ return NF_INET_NUMHOOKS;
+
switch (family) {
case NFPROTO_IPV4:
case NFPROTO_BRIDGE:
diff --git a/src/expression.c b/src/expression.c
index 5f023d2a..e698b14c 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -65,7 +65,7 @@ void expr_free(struct expr *expr)
return;
if (--expr->refcnt > 0)
return;
- if (expr->ops->destroy)
+ if (expr->ops && expr->ops->destroy)
expr->ops->destroy(expr);
xfree(expr);
}
diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0
new file mode 100755
index 00000000..de590b77
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0006segfault_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands.
+
+$NFT add table ip t
+
+$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress\; priority 10\; }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress priority 10\; }
+[[ $? -eq 1 ]] || exit 1