From 1f1ff357b76f2d50fe093b673478070f340fa5d4 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Mon, 12 Jan 2015 09:48:39 +0000
Subject: expr: fix crash when listing non-verdict mappings

Fix regression introduced by commit 87c2a2205:

  netlink_delinearize: clone on netlink_get_register(), release previous on _set()

When using a non-verdict mapping, the set ref expression is assigned to the
destination register. The next get_register() will attempt to clone it and
crash because of the missing ->clone() callback.

# nft filter input meta mark set ip daddr map { 192.168.0.1 : 123 }
# nft list table filter
Segmentation fault (core dumped)

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/expression.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/expression.c')

diff --git a/src/expression.c b/src/expression.c
index 8ba2e8a1..5b848da7 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -858,6 +858,11 @@ static void set_ref_expr_print(const struct expr *expr)
 		printf("@%s", expr->set->handle.set);
 }
 
+static void set_ref_expr_clone(struct expr *new, const struct expr *expr)
+{
+	new->set = set_get(expr->set);
+}
+
 static void set_ref_expr_destroy(struct expr *expr)
 {
 	set_free(expr->set);
@@ -867,6 +872,7 @@ static const struct expr_ops set_ref_expr_ops = {
 	.type		= EXPR_SET_REF,
 	.name		= "set reference",
 	.print		= set_ref_expr_print,
+	.clone		= set_ref_expr_clone,
 	.destroy	= set_ref_expr_destroy,
 };
 
-- 
cgit v1.2.3