From 4be0a3f922a2944a941316fad76a717cd46691bd Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 19 Mar 2018 18:02:05 +0100
Subject: flowtable: Make parsing a little more robust

It was surprisingly easy to crash nft with invalid syntax in 'add
flowtable' command. Catch at least three possible ways (illustrated in
provided test case) by making evaluation phase survive so that bison
gets a chance to complain.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/flowtable/0006segfault_0 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100755 tests/shell/testcases/flowtable/0006segfault_0

(limited to 'tests/shell/testcases')

diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0
new file mode 100755
index 00000000..de590b77
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0006segfault_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands.
+
+$NFT add table ip t
+
+$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress\; priority 10\; }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress priority 10\; }
+[[ $? -eq 1 ]] || exit 1
-- 
cgit v1.2.3