From c8b350392e23c3d33bdc65e6fed49bded672c181 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 3 May 2022 11:30:57 +0200
Subject: optimize: incorrect logic in verdict comparison

Keep inspecting rule verdicts before assuming they are equal. Update
existing test to catch this bug.

Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/optimize.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/optimize.c b/src/optimize.c
index 4ad25fab..6d6a6d65 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -622,12 +622,14 @@ static bool stmt_verdict_cmp(const struct optimize_ctx *ctx,
 		stmt_a = ctx->stmt_matrix[i][k];
 		stmt_b = ctx->stmt_matrix[i + 1][k];
 		if (!stmt_a && !stmt_b)
-			return true;
-		if (stmt_verdict_eq(stmt_a, stmt_b))
-			return true;
+			continue;
+		if (!stmt_a || !stmt_b)
+			return false;
+		if (!stmt_verdict_eq(stmt_a, stmt_b))
+			return false;
 	}
 
-	return false;
+	return true;
 }
 
 static void rule_optimize_print(struct output_ctx *octx,
-- 
cgit v1.2.3