On Thu, Aug 20, 2020 at 09:05:50PM +0200, Florian Westphal wrote:
> Following bug was reported via irc:
> nft list ruleset
> set knock_candidates_ipv4 {
> type ipv4_addr . inet_service
> size 65535
> elements = { 127.0.0.1 . 123,
> 127.0.0.1 . 123 }
> }
> ..
> udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
> udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
>
> It should not have been possible to add a duplicate set entry.
>
> After some debugging it turned out that the problem is the immediate
> value (123) in the second-to-last rule.
>
> Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
> not 6 and it turns out the kernel inserted
>
> inet firewall @knock_candidates_ipv4
> element 0100007f ffff7b00 : 0 [end]
> element 0100007f 00007b00 : 0 [end]
>
> Note the non-zero upper bits of the first element. It turns out that
> nft_immediate doesn't zero the destination register, but this is needed
> when the length isn't a multiple of 4.
>
> Furthermore, the zeroing in nft_payload is broken. We can't use
> [len / 4] = 0 -- if len is a multiple of 4, index is off by one.
>
> Skip zeroing in this case and use a conditional instead of (len -1) / 4.
Applied, thanks.
