[PATCH nft 1/2] evaluate: bogus datatype assertion in binary operation evaluation

[PATCH nft 1/2] evaluate: bogus datatype assertion in binary operation evaluation

[Pablo Neira Ayuso]

Use datatype_equal(), otherwise dynamically allocated datatype fails
to fulfill the datatype pointer check, triggering the assertion:

 nft: evaluate.c:1249: expr_evaluate_binop: Assertion `expr_basetype(left) == expr_basetype(right)' failed.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1636
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c                                             | 2 +-
 .../shell/testcases/optimizations/dumps/not_mergeable.nft  | 7 +++++++
 tests/shell/testcases/optimizations/not_mergeable          | 6 ++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index a52867b33be0..2e2b8df0f004 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1265,7 +1265,7 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr)
 					 sym, expr_name(right));
 
 	/* The grammar guarantees this */
-	assert(expr_basetype(left) == expr_basetype(right));
+	assert(datatype_equal(expr_basetype(left), expr_basetype(right)));
 
 	switch (op->op) {
 	case OP_LSHIFT:
diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft
index 08b2b58f66c3..02b89207b0cb 100644
--- a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft
+++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft
@@ -5,8 +5,15 @@ table ip x {
 	chain t2 {
 	}
 
+	chain t3 {
+	}
+
+	chain t4 {
+	}
+
 	chain y {
 		counter packets 0 bytes 0 jump t1
 		counter packets 0 bytes 0 jump t2
+		ip version vmap { 4 : jump t3, 6 : jump t4 }
 	}
 }
diff --git a/tests/shell/testcases/optimizations/not_mergeable b/tests/shell/testcases/optimizations/not_mergeable
index 25635cdd653d..ddb2f0fd86fc 100755
--- a/tests/shell/testcases/optimizations/not_mergeable
+++ b/tests/shell/testcases/optimizations/not_mergeable
@@ -7,9 +7,15 @@ RULESET="table ip x {
 	}
 	chain t2 {
 	}
+	chain t3 {
+	}
+	chain t4 {
+	}
 	chain y {
 		counter jump t1
 		counter jump t2
+		ip version 4 jump t3
+		ip version 6 jump t4
 	}
 }"
 
-- 
2.30.2

[PATCH nft 2/2] evaluate: datatype memleak after binop transfer

[Pablo Neira Ayuso]

The following ruleset:

	ip version vmap { 4 : jump t3, 6 : jump t4 }

results in a memleak.

expr_evaluate_shift() overrides the datatype which results in a datatype
memleak after the binop transfer that triggers a left-shift of the
constant (in the map).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 2e2b8df0f004..0bf6a0d1b110 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1189,7 +1189,6 @@ static int expr_evaluate_shift(struct eval_ctx *ctx, struct expr **expr)
 	if (byteorder_conversion(ctx, &op->right, BYTEORDER_HOST_ENDIAN) < 0)
 		return -1;
 
-	op->dtype     = &integer_type;
 	op->byteorder = BYTEORDER_HOST_ENDIAN;
 	op->len       = left->len;
 
-- 
2.30.2