On Mon, Mar 10, 2025 at 08:29:37AM +0100, Florian Westphal wrote:
> In this case, evaluation step replaces the range expression with a
> single value and we'd crash as range->left/right contain garbage
> values.
>
> Simply replace the input expression with the evaluation result.
>
> Also add a test case modeled on the afl reproducer.
>
> Fixes: fe6cc0ad29cd ("evaluate: consolidate evaluation of symbol range expression")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Thanks for fixing this silly bug.
> ---
> src/evaluate.c | 5 +++
> .../dumps/range_with_same_start_end.json-nft | 35 +++++++++++++++++++
> .../sets/dumps/range_with_same_start_end.nft | 7 ++++
> .../testcases/sets/range_with_same_start_end | 13 +++++++
> 4 files changed, 60 insertions(+)
> create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
> create mode 100644 tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
> create mode 100755 tests/shell/testcases/sets/range_with_same_start_end
>
> diff --git a/src/evaluate.c b/src/evaluate.c
> index e27d08ce7ef8..722c11a23c2d 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -2351,6 +2351,10 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
> expr_free(range);
> return -1;
> }
> +
> + if (range->etype != EXPR_RANGE)
> + goto out_done;
> +
> left = range->left;
> right = range->right;
>
> @@ -2371,6 +2375,7 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
> return 0;
> }
>
> +out_done:
> expr_free(expr);
> *exprp = range;
>
> diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
> new file mode 100644
> index 000000000000..c4682475917e
> --- /dev/null
> +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.json-nft
> @@ -0,0 +1,35 @@
> +{
> + "nftables": [
> + {
> + "metainfo": {
> + "version": "VERSION",
> + "release_name": "RELEASE_NAME",
> + "json_schema_version": 1
> + }
> + },
> + {
> + "table": {
> + "family": "ip",
> + "name": "t",
> + "handle": 0
> + }
> + },
> + {
> + "set": {
> + "family": "ip",
> + "name": "X",
> + "table": "t",
> + "type": "inet_service",
> + "handle": 0,
> + "flags": [
> + "interval"
> + ],
> + "elem": [
> + 10,
> + 30,
> + 35
> + ]
> + }
> + }
> + ]
> +}
> diff --git a/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
> new file mode 100644
> index 000000000000..78979e9e0d5e
> --- /dev/null
> +++ b/tests/shell/testcases/sets/dumps/range_with_same_start_end.nft
> @@ -0,0 +1,7 @@
> +table ip t {
> + set X {
> + type inet_service
> + flags interval
> + elements = { 10, 30, 35 }
> + }
> +}
> diff --git a/tests/shell/testcases/sets/range_with_same_start_end b/tests/shell/testcases/sets/range_with_same_start_end
> new file mode 100755
> index 000000000000..127f0921f0de
> --- /dev/null
> +++ b/tests/shell/testcases/sets/range_with_same_start_end
> @@ -0,0 +1,13 @@
> +#!/bin/bash
> +
> +set -e
> +
> +$NFT -f - <<EOF
> +table ip t {
> + set X {
> + type inet_service
> + flags interval
> + elements = { 10, 30-30, 30, 35 }
> + }
> +}
> +EOF
> --
> 2.45.3
>
>
