On Sun, Jun 26, 2022 at 12:47:07AM -0500, Peter Tirsek wrote:
> Adding elements to a set or map with an invalid definition causes nft to
> segfault. The following nftables.conf triggers the crash:
>
> flush ruleset
> create table inet filter
> set inet filter foo {}
> add element inet filter foo { foobar }
>
> Simply parsing and checking the config will trigger it:
>
> $ nft -c -f nftables.conf.crash
> Segmentation fault
>
> The error in the set/map definition is correctly caught and queued, but
> because the set is invalid and does not contain a key type, adding to it
> causes a NULL pointer dereference of set->key within setelem_evaluate().
>
> I don't think it's necessary to queue another error since the underlying
> problem is correctly detected and reported when parsing the definition
> of the set. Simply checking the validity of set->key before using it
> seems to fix it, causing the error in the definition of the set to be
> reported properly. The element type error isn't caught, but that seems
> reasonable since the key type is invalid or unknown anyway:
>
> $ ./nft -c -f ~/nftables.conf.crash
> /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key
> set inet filter foo {}
> ^
Applied, thanks
