From 4dbfa17097512b6b88805299223f93e90a072ea6 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 12 Oct 2022 12:50:26 +0200
Subject: netlink_delinearize: do not transfer binary operation to
 non-anonymous sets

Michael Braun says:

This results for nft list ruleset in
  nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.

This is due to binop_adjust_one setting value->len to left->len, which
is shorther than right->len.

Additionally, it does not seem correct to alter set elements from parsing a
rule, so remove that part all together.

Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/netlink_delinearize.c')

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index e8b9724c..828ad12d 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -2228,6 +2228,9 @@ static void binop_adjust(const struct expr *binop, struct expr *right,
 		binop_adjust_one(binop, right, shift);
 		break;
 	case EXPR_SET_REF:
+		if (!set_is_anonymous(right->set->flags))
+			break;
+
 		list_for_each_entry(i, &right->set->init->expressions, list) {
 			switch (i->key->etype) {
 			case EXPR_VALUE:
-- 
cgit v1.2.3