79 lines
2.5 KiB
Diff
79 lines
2.5 KiB
Diff
From 48aca2de80a7dd73f8f3a461c7f7ed47b6082766 Mon Sep 17 00:00:00 2001
|
|
From: Florian Westphal <fw@strlen.de>
|
|
Date: Fri, 3 Dec 2021 17:07:55 +0100
|
|
Subject: iptopt: fix crash with invalid field/type combo
|
|
|
|
% nft describe ip option rr value
|
|
segmentation fault
|
|
|
|
after this fix, this exits with 'Error: unknown ip option type/field'.
|
|
|
|
Problem is that 'rr' doesn't have a value template, so the template
|
|
struct is
|
|
all-zeroes, so we crash when trying to use tmpl->dtype (its NULL).
|
|
|
|
Furthermore, expr_describe tries to print expr->identifier but expr is
|
|
exthdr, not symbol: ->identifier contains garbage.
|
|
|
|
Conflict: NA
|
|
Reference:
|
|
https://git.netfilter.org/nftables/commit/?id=48aca2de80a7dd73f8f3a461c7f7ed47b6082766
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
---
|
|
src/expression.c | 7 +++----
|
|
src/ipopt.c | 2 ++
|
|
src/parser_bison.y | 4 ++++
|
|
3 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/expression.c b/src/expression.c
|
|
index 4c0874f..1a88f08 100644
|
|
--- a/src/expression.c
|
|
+++ b/src/expression.c
|
|
@@ -135,12 +135,11 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx)
|
|
nft_print(octx, "datatype %s (%s)",
|
|
dtype->name, dtype->desc);
|
|
len = dtype->size;
|
|
- } else if (dtype != &invalid_type) {
|
|
+ } else {
|
|
nft_print(octx, "%s expression, datatype %s (%s)",
|
|
expr_name(expr), dtype->name, dtype->desc);
|
|
- } else {
|
|
- nft_print(octx, "datatype %s is invalid\n", expr->identifier);
|
|
- return;
|
|
+ if (dtype == &invalid_type)
|
|
+ return;
|
|
}
|
|
|
|
if (dtype->basetype != NULL) {
|
|
diff --git a/src/ipopt.c b/src/ipopt.c
|
|
index 5f9f908..fdd3f93 100644
|
|
--- a/src/ipopt.c
|
|
+++ b/src/ipopt.c
|
|
@@ -97,6 +97,8 @@ struct expr *ipopt_expr_alloc(const struct location *loc, uint8_t type,
|
|
if (!tmpl)
|
|
return NULL;
|
|
|
|
+ if (!tmpl->len)
|
|
+ return NULL;
|
|
expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype,
|
|
BYTEORDER_BIG_ENDIAN, tmpl->len);
|
|
expr->exthdr.desc = desc;
|
|
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
|
index 83f0250..65ba6a4 100644
|
|
--- a/src/parser_bison.y
|
|
+++ b/src/parser_bison.y
|
|
@@ -5296,6 +5296,10 @@ ip_hdr_expr : IP ip_hdr_field close_scope_ip
|
|
| IP OPTION ip_option_type ip_option_field close_scope_ip
|
|
{
|
|
$$ = ipopt_expr_alloc(&@$, $3, $4, 0);
|
|
+ if (!$$) {
|
|
+ erec_queue(error(&@1, "unknown ip option type/field"), state->msgs);
|
|
+ YYERROR;
|
|
+ }
|
|
}
|
|
| IP OPTION ip_option_type close_scope_ip
|
|
{
|
|
--
|
|
2.23.0
|
|
|