bison uses cmd_free($$) as destructor, but base_cmd can
set it to NULL, e.g.
| ELEMENT set_spec set_block_expr
{
if (nft_cmd_collapse_elems(CMD_ADD, state->cmds, &$2, $3)) {
handle_free(&$2);
expr_free($3);
$$ = NULL; // cmd set to NULL
break;
}
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
expr_free(NULL) is legal, cmd_free() causes crash. So just allow
this to avoid cluttering parser_bison.y with "if ($$)".
Also add the afl-generated bogon input to the test files.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/rule.c | 3 +++
.../bogons/nft-f/cmd_is_null_on_free | 20 +++++++++++++++++++
2 files changed, 23 insertions(+)
create mode 100644 tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
diff --git a/src/rule.c b/src/rule.c
index 151ed531969c..cc43cd18b7c7 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1372,6 +1372,9 @@ void monitor_free(struct monitor *m)
void cmd_free(struct cmd *cmd)
{
+ if (cmd == NULL)
+ return;
+
handle_free(&cmd->handle);
if (cmd->data != NULL) {
switch (cmd->obj) {
diff --git a/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
new file mode 100644
index 000000000000..6a42aa90cd53
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
@@ -0,0 +1,20 @@
+nt rootepep test- {
+* : 1:3 }
+ element root tesip {
+* : 1:3 }
+ elent rootsel s1 {
+ typ� elements < { "Linux" }
+ }
+tatlet e t {
+ thataepep test- {
+* : 1:3 }
+ element root tesip {
+* : 1:3 }� table Cridgents < t {
+list set y p
+ type i , {
+ sel s1 {
+ typ� elements < { "Linux" }
+ }
+tatlet e t {
+ thatable Cridgents < t {
+lis
--
2.45.2
