All of lore.kernel.org
 help / color / mirror / Atom feed
From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 1/3] evaluate: check for NULL datatype in rhs in lookup expr
Date: Wed, 11 May 2016 13:30:02 +0200	[thread overview]
Message-ID: <146296620273.3706.17267671338035433056.stgit@nfdev2.cica.es> (raw)

If we are evaluating an EXPR_SET_REF, check if right->dtype is not NULL.
We can hit SEGFAULT if for whatever reason the referenced object does not
exists.

Using this testfile (note the invalid set syntax):

% cat test.nft
flush ruleset
add table t
add chain t c
add set t s {type ipv4_addr\;}
add rule t c ip saddr @s

Without this patch:

% nft -f test.nft
Segmentation fault

With this patch:

% nft -f test.nft
t.nft:4:28-28: Error: syntax error, unexpected junk, expecting newline or semicolon
add set t s {type ipv4_addr\;}
                           ^
t.nft:4:13-29: Error: set definition does not specify key data type
add set t s {type ipv4_addr\;}
            ^^^^^^^^^^^^^^^^^
t.nft:5:23-24: Error: the referenced object does not exists
add rule t c ip saddr @s
             ~~~~~~~~ ^^

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/evaluate.c |   35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 7444d09..6840790 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1210,16 +1210,33 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 
 	switch (rel->op) {
 	case OP_LOOKUP:
-		/* A literal set expression implicitly declares the set */
-		if (right->ops->type == EXPR_SET)
+		switch (right->ops->type) {
+		case EXPR_SET:
+			/* A literal set expression implicitly declares
+			 * the set
+			 */
 			right = rel->right =
-				implicit_set_declaration(ctx, left->dtype, left->len, right);
-		else if (!datatype_equal(left->dtype, right->dtype))
-			return expr_binary_error(ctx->msgs, right, left,
-						 "datatype mismatch, expected %s, "
-						 "set has type %s",
-						 left->dtype->desc,
-						 right->dtype->desc);
+				implicit_set_declaration(ctx, left->dtype,
+							 left->len, right);
+			break;
+		case EXPR_SET_REF:
+			if (right->dtype == NULL)
+				return expr_binary_error(ctx->msgs, right,
+							 left, "the referenced"
+							 " object does not "
+							 "exists");
+			if (!datatype_equal(left->dtype, right->dtype))
+				return expr_binary_error(ctx->msgs, right,
+							 left, "datatype "
+							 "mismatch, expected "
+							 "%s, set has type %s",
+							 left->dtype->desc,
+							 right->dtype->desc);
+			break;
+		default:
+			BUG("unhandled right expression type %u\n",
+			    right->ops->type);
+		}
 
 		/* Data for range lookups needs to be in big endian order */
 		if (right->set->flags & SET_F_INTERVAL &&


             reply	other threads:[~2016-05-11 11:30 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-11 11:30 Arturo Borrero Gonzalez [this message]
2016-05-11 11:30 ` [nft PATCH 2/3] tests/shell: add testcase for 'nft -f' load with actions Arturo Borrero Gonzalez
2016-05-13  9:39   ` Pablo Neira Ayuso
2016-05-11 11:30 ` [nft PATCH 3/3] tests/shell: add testcase to catch segfault if invalid syntax was used Arturo Borrero Gonzalez
2016-05-13  9:40   ` Pablo Neira Ayuso
2016-05-13 10:29     ` Arturo Borrero Gonzalez
2016-05-13  9:38 ` [nft PATCH 1/3] evaluate: check for NULL datatype in rhs in lookup expr Pablo Neira Ayuso
2016-05-13 10:28   ` Arturo Borrero Gonzalez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=146296620273.3706.17267671338035433056.stgit@nfdev2.cica.es \
    --to=arturo.borrero.glez@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.