Inputs:
ip protocol . th dport { tcp / 22, }'
or
th dport . ip protocol { tcp / 22, }'
are not rejected at this time. 'list ruleset' yields:
ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed.
or
th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed.
While this should be caught at input too, the print path should be more
robust, e.g. when there are direct nfnetlink users.
After this patch, the print functions fall back to
'integer_type_print' which can handle large numbers too.
Note that the output printed this way cannot be read back by nft;
it will dump something like:
tcp dport & 18446739675663040512 . ip protocol 0 . 0
but thats better than assert().
v2: same problem exists for service too.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/datatype.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/datatype.c b/src/datatype.c
index 86d55a524269..74899dec221f 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -715,7 +715,8 @@ const struct datatype ip6addr_type = {
static void inet_protocol_type_print(const struct expr *expr,
struct output_ctx *octx)
{
- if (!nft_output_numeric_proto(octx)) {
+ if (!nft_output_numeric_proto(octx) &&
+ mpz_cmp_ui(expr->value, UINT8_MAX) <= 0) {
char name[NFT_PROTONAME_MAXSIZE];
if (nft_getprotobynumber(mpz_get_uint8(expr->value), name, sizeof(name))) {
@@ -796,7 +797,8 @@ static void inet_service_print(const struct expr *expr, struct output_ctx *octx)
void inet_service_type_print(const struct expr *expr, struct output_ctx *octx)
{
- if (nft_output_service(octx)) {
+ if (nft_output_service(octx) &&
+ mpz_cmp_ui(expr->value, UINT16_MAX) <= 0) {
inet_service_print(expr, octx);
return;
}
--
2.41.0
