[nft PATCH 4/6] flowtable: Make parsing a little more robust

Phil Sutter <phil@xxxxxx> · Mon, 19 Mar 2018 18:02:05 +0100

It was surprisingly easy to crash nft with invalid syntax in 'add
flowtable' command. Catch at least three possible ways (illustrated in
provided test case) by making evaluation phase survive so that bison
gets a chance to complain.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 src/evaluate.c                                 |  6 ++++++
 src/expression.c                               |  2 +-
 tests/shell/testcases/flowtable/0006segfault_0 | 14 ++++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100755 tests/shell/testcases/flowtable/0006segfault_0

diff --git a/src/evaluate.c b/src/evaluate.c
index 6ae94b0f56de5..d224f0f3c2c16 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2838,6 +2838,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
 	if (ft->hooknum == NF_INET_NUMHOOKS)
 		return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
 
+	if (!ft->dev_expr)
+		return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+
 	return 0;
 }
 
@@ -2874,6 +2877,9 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
 
 static uint32_t str2hooknum(uint32_t family, const char *hook)
 {
+	if (!hook)
+		return NF_INET_NUMHOOKS;
+
 	switch (family) {
 	case NFPROTO_IPV4:
 	case NFPROTO_BRIDGE:
diff --git a/src/expression.c b/src/expression.c
index 5f023d2ad88e7..e698b14c969c7 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -65,7 +65,7 @@ void expr_free(struct expr *expr)
 		return;
 	if (--expr->refcnt > 0)
 		return;
-	if (expr->ops->destroy)
+	if (expr->ops && expr->ops->destroy)
 		expr->ops->destroy(expr);
 	xfree(expr);
 }
diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0
new file mode 100755
index 0000000000000..de590b77de89f
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0006segfault_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands.
+
+$NFT add table ip t
+
+$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress\; priority 10\; }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress priority 10\; }
+[[ $? -eq 1 ]] || exit 1
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






