diff options
-rw-r--r-- | src/evaluate.c | 6 | ||||
-rw-r--r-- | src/expression.c | 2 | ||||
-rwxr-xr-x | tests/shell/testcases/flowtable/0006segfault_0 | 14 |
3 files changed, 21 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 6ae94b0f..d224f0f3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2838,6 +2838,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) if (ft->hooknum == NF_INET_NUMHOOKS) return chain_error(ctx, ft, "invalid hook %s", ft->hookstr); + if (!ft->dev_expr) + return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)"); + return 0; } @@ -2874,6 +2877,9 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule) static uint32_t str2hooknum(uint32_t family, const char *hook) { + if (!hook) + return NF_INET_NUMHOOKS; + switch (family) { case NFPROTO_IPV4: case NFPROTO_BRIDGE: diff --git a/src/expression.c b/src/expression.c index 5f023d2a..e698b14c 100644 --- a/src/expression.c +++ b/src/expression.c @@ -65,7 +65,7 @@ void expr_free(struct expr *expr) return; if (--expr->refcnt > 0) return; - if (expr->ops->destroy) + if (expr->ops && expr->ops->destroy) expr->ops->destroy(expr); xfree(expr); } diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0 new file mode 100755 index 00000000..de590b77 --- /dev/null +++ b/tests/shell/testcases/flowtable/0006segfault_0 @@ -0,0 +1,14 @@ +#!/bin/bash + +# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands. + +$NFT add table ip t + +$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } } +[[ $? -eq 1 ]] || exit 1 + +$NFT add flowtable ip t f { hook ingress\; priority 10\; } +[[ $? -eq 1 ]] || exit 1 + +$NFT add flowtable ip t f { hook ingress priority 10\; } +[[ $? -eq 1 ]] || exit 1 |