On Tue, Mar 11, 2025 at 02:07:03PM +0100, Florian Westphal wrote: > Sometimes nftables will segfault when doing error-unwind of the included > afl-generated bogon. > > The problem is the unconditional write access to expr->set_flags in > expr_evaluate_map(): > > mappings->set_flags |= NFT_SET_MAP; > > ... but mappings can point to EXPR_VARIABLE (legal), where this will flip > a bit in unused, but allocated memory (i.e., has no effect). > > In case of the bogon, mapping is EXPR_RANGE_SYMBOL, and the store can flip > a bit in identifier_range[1], this causes crash when the pointer is freed. > > We can't use expr->set_flags unconditionally, so rework this to pass > set_flags as argument and place all read and write accesses in places where > we've made sure we are dealing with EXPR_SET. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
