On Wed, Jan 08, 2025 at 12:30:15PM +0100, Florian Westphal wrote:
> bison uses cmd_free($$) as destructor, but base_cmd can
> set it to NULL, e.g.
>
> | ELEMENT set_spec set_block_expr
> {
> if (nft_cmd_collapse_elems(CMD_ADD, state->cmds, &$2, $3)) {
> handle_free(&$2);
> expr_free($3);
> $$ = NULL; // cmd set to NULL
> break;
> }
> $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
>
> expr_free(NULL) is legal, cmd_free() causes crash. So just allow
> this to avoid cluttering parser_bison.y with "if ($$)".
>
> Also add the afl-generated bogon input to the test files.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Thanks
> ---
> src/rule.c | 3 +++
> .../bogons/nft-f/cmd_is_null_on_free | 20 +++++++++++++++++++
> 2 files changed, 23 insertions(+)
> create mode 100644 tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
>
> diff --git a/src/rule.c b/src/rule.c
> index 151ed531969c..cc43cd18b7c7 100644
> --- a/src/rule.c
> +++ b/src/rule.c
> @@ -1372,6 +1372,9 @@ void monitor_free(struct monitor *m)
>
> void cmd_free(struct cmd *cmd)
> {
> + if (cmd == NULL)
> + return;
> +
> handle_free(&cmd->handle);
> if (cmd->data != NULL) {
> switch (cmd->obj) {
> diff --git a/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
> new file mode 100644
> index 000000000000..6a42aa90cd53
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/cmd_is_null_on_free
> @@ -0,0 +1,20 @@
> +nt rootepep test- {
> +* : 1:3 }
> + element root tesip {
> +* : 1:3 }
> + elent rootsel s1 {
> + typ� elements < { "Linux" }
> + }
> +tatlet e t {
> + thataepep test- {
> +* : 1:3 }
> + element root tesip {
> +* : 1:3 }� table Cridgents < t {
> +list set y p
> + type i , {
> + sel s1 {
> + typ� elements < { "Linux" }
> + }
> +tatlet e t {
> + thatable Cridgents < t {
> +lis
> --
> 2.45.2
>
>
