Re: [PATCH nft] evaluate: bogus error when refering to existing non-base chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pablo,

On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
[...]
> diff --git a/src/evaluate.c b/src/evaluate.c
> index f95f42e1067a..cd566e856a11 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
>  	case EXPR_VERDICT:
>  		if (stmt->expr->verdict != NFT_CONTINUE)
>  			stmt->flags |= STMT_F_TERMINAL;
> -		if (stmt->expr->chain != NULL) {
> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
> -				return -1;
> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> -				return stmt_error(ctx, stmt,
> -						  "invalid verdict chain expression %s\n",
> -						  expr_name(stmt->expr->chain));
> -			}
> -		}

According to my logs, this bit was added by Fernando to cover for
invalid variable values[1]. So I fear we can't just drop this check.

Cheers, Phil

[1] I didn't check with current sources, but back then the following
    variable contents were problematic:

    * define foo = @set1 (a set named 'set1' must exist)
    * define foo = { 1024 }
    * define foo = *



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux