[nft] evaluate: bogus error when refering to existing non-base chain

add rule ip testNEW test6 jump test8
                                ^^^^^
 Error: invalid verdict chain expression value

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

Hi Pablo,

On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
[...]
> diff --git a/src/evaluate.c b/src/evaluate.c
> index f95f42e1067a..cd566e856a11 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
>  	case EXPR_VERDICT:
>  		if (stmt->expr->verdict != NFT_CONTINUE)
>  			stmt->flags |= STMT_F_TERMINAL;
> -		if (stmt->expr->chain != NULL) {
> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
> -				return -1;
> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> -				return stmt_error(ctx, stmt,
> -						  "invalid verdict chain expression %s\n",
> -						  expr_name(stmt->expr->chain));
> -			}
> -		}

According to my logs, this bit was added by Fernando to cover for
invalid variable values[1]. So I fear we can't just drop this check.

Cheers, Phil

[1] I didn't check with current sources, but back then the following
    variable contents were problematic:

    * define foo = @set1 (a set named 'set1' must exist)
    * define foo = { 1024 }
    * define foo = *

El 16 de julio de 2019 18:47:11 CEST, Phil Sutter <phil@nwl.cc> escribió:
>Hi Pablo,
>
>On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
>[...]
>> diff --git a/src/evaluate.c b/src/evaluate.c
>> index f95f42e1067a..cd566e856a11 100644
>> --- a/src/evaluate.c
>> +++ b/src/evaluate.c
>> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct
>eval_ctx *ctx, struct stmt *stmt)
>>  	case EXPR_VERDICT:
>>  		if (stmt->expr->verdict != NFT_CONTINUE)
>>  			stmt->flags |= STMT_F_TERMINAL;
>> -		if (stmt->expr->chain != NULL) {
>> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
>> -				return -1;
>> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
>> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
>> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
>> -				return stmt_error(ctx, stmt,
>> -						  "invalid verdict chain expression %s\n",
>> -						  expr_name(stmt->expr->chain));
>> -			}
>> -		}
>
>According to my logs, this bit was added by Fernando to cover for
>invalid variable values[1]. So I fear we can't just drop this check.
>
>Cheers, Phil
>
>[1] I didn't check with current sources, but back then the following
>    variable contents were problematic:
>
>    * define foo = @set1 (a set named 'set1' must exist)
>    * define foo = { 1024 }
>    * define foo = *

Yes I am looking to the report and why current version fails when the jump is to a non-base chain because I tested that some months ago.

I will catch up with more details in a few hours. Sorry for the inconveniences.

On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
>  add rule ip testNEW test6 jump test8
>                                 ^^^^^
>  Error: invalid verdict chain expression value

Note that I can't reproduce this issue locally.

[...]
> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> -				return stmt_error(ctx, stmt,
> -						  "invalid verdict chain expression %s\n",
> -						  expr_name(stmt->expr->chain));
> -			}

So I guess the problem is that for an etype of EXPR_VALUE, symtype is
still checked. The latter is used by EXPR_SYMBOL only, but since
SYMBOL_VALUE is 0 (implicitly, it's the first item in enum
symbol_types) this probably works by accident.

I still don't understand why it doesn't work for you, but I guess the
bug is found. So probably

| if ((stmt->expr->chain->etype != EXPR_SYMBOL ||
|       stmt->expr->chain->symtype != SYMBOL_VALUE) &&
|     stmt->expr->chain->etype != EXPR_VALUE)) {

is right.

Cheers, Phil

Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> El 16 de julio de 2019 18:47:11 CEST, Phil Sutter <phil@nwl.cc> escribió:
> >Hi Pablo,
> >
> >On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
> >[...]
> >> diff --git a/src/evaluate.c b/src/evaluate.c
> >> index f95f42e1067a..cd566e856a11 100644
> >> --- a/src/evaluate.c
> >> +++ b/src/evaluate.c
> >> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct
> >eval_ctx *ctx, struct stmt *stmt)
> >>  	case EXPR_VERDICT:
> >>  		if (stmt->expr->verdict != NFT_CONTINUE)
> >>  			stmt->flags |= STMT_F_TERMINAL;
> >> -		if (stmt->expr->chain != NULL) {
> >> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
> >> -				return -1;
> >> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> >> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> >> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> >> -				return stmt_error(ctx, stmt,
> >> -						  "invalid verdict chain expression %s\n",
> >> -						  expr_name(stmt->expr->chain));
> >> -			}
> >> -		}
> >
> >According to my logs, this bit was added by Fernando to cover for
> >invalid variable values[1]. So I fear we can't just drop this check.
> >
> >Cheers, Phil
> >
> >[1] I didn't check with current sources, but back then the following
> >    variable contents were problematic:
> >
> >    * define foo = @set1 (a set named 'set1' must exist)
> >    * define foo = { 1024 }
> >    * define foo = *
> 
> Yes I am looking to the report and why current version fails when the jump is to a non-base chain because I tested that some months ago.
> 
> I will catch up with more details in a few hours. Sorry for the inconveniences.

Fernando, in case Pablos patch v2 fixes the reported bug, could you
followup with a test case?  It would help when someone tries to remove
"unneeded code" in the future ;-)

Thanks,
Florian

On Tue, Jul 16, 2019 at 08:00:04PM +0200, Florian Westphal wrote:
> Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> > El 16 de julio de 2019 18:47:11 CEST, Phil Sutter <phil@nwl.cc> escribió:
> > >Hi Pablo,
> > >
> > >On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
> > >[...]
> > >> diff --git a/src/evaluate.c b/src/evaluate.c
> > >> index f95f42e1067a..cd566e856a11 100644
> > >> --- a/src/evaluate.c
> > >> +++ b/src/evaluate.c
> > >> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct
> > >eval_ctx *ctx, struct stmt *stmt)
> > >>  	case EXPR_VERDICT:
> > >>  		if (stmt->expr->verdict != NFT_CONTINUE)
> > >>  			stmt->flags |= STMT_F_TERMINAL;
> > >> -		if (stmt->expr->chain != NULL) {
> > >> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
> > >> -				return -1;
> > >> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> > >> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> > >> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> > >> -				return stmt_error(ctx, stmt,
> > >> -						  "invalid verdict chain expression %s\n",
> > >> -						  expr_name(stmt->expr->chain));
> > >> -			}
> > >> -		}
> > >
> > >According to my logs, this bit was added by Fernando to cover for
> > >invalid variable values[1]. So I fear we can't just drop this check.
> > >
> > >Cheers, Phil
> > >
> > >[1] I didn't check with current sources, but back then the following
> > >    variable contents were problematic:
> > >
> > >    * define foo = @set1 (a set named 'set1' must exist)
> > >    * define foo = { 1024 }
> > >    * define foo = *
> > 
> > Yes I am looking to the report and why current version fails when the jump is to a non-base chain because I tested that some months ago.
> > 
> > I will catch up with more details in a few hours. Sorry for the inconveniences.
> 
> Fernando, in case Pablos patch v2 fixes the reported bug, could you
> followup with a test case?  It would help when someone tries to remove
> "unneeded code" in the future ;-)

I'm not sure it's worth a test for this unlikely corner case.

There are thousands of paths where we're not performing strict
expression validation as in this case... and if you really want to get
this right.

On Tue, Jul 16, 2019 at 08:12:53PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jul 16, 2019 at 08:00:04PM +0200, Florian Westphal wrote:
> > Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> > > El 16 de julio de 2019 18:47:11 CEST, Phil Sutter <phil@nwl.cc> escribió:
> > > >Hi Pablo,
> > > >
> > > >On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
> > > >[...]
> > > >> diff --git a/src/evaluate.c b/src/evaluate.c
> > > >> index f95f42e1067a..cd566e856a11 100644
> > > >> --- a/src/evaluate.c
> > > >> +++ b/src/evaluate.c
> > > >> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct
> > > >eval_ctx *ctx, struct stmt *stmt)
> > > >>  	case EXPR_VERDICT:
> > > >>  		if (stmt->expr->verdict != NFT_CONTINUE)
> > > >>  			stmt->flags |= STMT_F_TERMINAL;
> > > >> -		if (stmt->expr->chain != NULL) {
> > > >> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
> > > >> -				return -1;
> > > >> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
> > > >> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
> > > >> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
> > > >> -				return stmt_error(ctx, stmt,
> > > >> -						  "invalid verdict chain expression %s\n",
> > > >> -						  expr_name(stmt->expr->chain));
> > > >> -			}
> > > >> -		}
> > > >
> > > >According to my logs, this bit was added by Fernando to cover for
> > > >invalid variable values[1]. So I fear we can't just drop this check.
> > > >
> > > >Cheers, Phil
> > > >
> > > >[1] I didn't check with current sources, but back then the following
> > > >    variable contents were problematic:
> > > >
> > > >    * define foo = @set1 (a set named 'set1' must exist)
> > > >    * define foo = { 1024 }
> > > >    * define foo = *
> > > 
> > > Yes I am looking to the report and why current version fails when the jump is to a non-base chain because I tested that some months ago.
> > > 
> > > I will catch up with more details in a few hours. Sorry for the inconveniences.
> > 
> > Fernando, in case Pablos patch v2 fixes the reported bug, could you
> > followup with a test case?  It would help when someone tries to remove
> > "unneeded code" in the future ;-)
> 
> I'm not sure it's worth a test for this unlikely corner case.
> 
> There are thousands of paths where we're not performing strict
> expression validation as in this case... and if you really want to get
> this right.

Having said this, if you want a test for this specific case, I really
don't mind :-)

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Having said this, if you want a test for this specific case, I really
> don't mind :-)

Fair enough, Fernando, if you think you have more important things to
work on then just ignore this.

El 16 de julio de 2019 20:27:39 CEST, Florian Westphal <fw@strlen.de> escribió:
>Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> Having said this, if you want a test for this specific case, I really
>> don't mind :-)
>
>Fair enough, Fernando, if you think you have more important things to
>work on then just ignore this.

I am going to send a patch with a test for this case. It should be easy :-)

Hi,

On 7/16/19 8:12 PM, Pablo Neira Ayuso wrote:
> On Tue, Jul 16, 2019 at 08:00:04PM +0200, Florian Westphal wrote:
>> Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
>>> El 16 de julio de 2019 18:47:11 CEST, Phil Sutter <phil@nwl.cc> escribió:
>>>> Hi Pablo,
>>>>
>>>> On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote:
>>>> [...]
>>>>> diff --git a/src/evaluate.c b/src/evaluate.c
>>>>> index f95f42e1067a..cd566e856a11 100644
>>>>> --- a/src/evaluate.c
>>>>> +++ b/src/evaluate.c
>>>>> @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct
>>>> eval_ctx *ctx, struct stmt *stmt)
>>>>>  	case EXPR_VERDICT:
>>>>>  		if (stmt->expr->verdict != NFT_CONTINUE)
>>>>>  			stmt->flags |= STMT_F_TERMINAL;
>>>>> -		if (stmt->expr->chain != NULL) {
>>>>> -			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
>>>>> -				return -1;
>>>>> -			if ((stmt->expr->chain->etype != EXPR_SYMBOL &&
>>>>> -			    stmt->expr->chain->etype != EXPR_VALUE) ||
>>>>> -			    stmt->expr->chain->symtype != SYMBOL_VALUE) {
>>>>> -				return stmt_error(ctx, stmt,
>>>>> -						  "invalid verdict chain expression %s\n",
>>>>> -						  expr_name(stmt->expr->chain));
>>>>> -			}
>>>>> -		}
>>>>
>>>> According to my logs, this bit was added by Fernando to cover for
>>>> invalid variable values[1]. So I fear we can't just drop this check.
>>>>
>>>> Cheers, Phil
>>>>
>>>> [1] I didn't check with current sources, but back then the following
>>>>    variable contents were problematic:
>>>>
>>>>    * define foo = @set1 (a set named 'set1' must exist)
>>>>    * define foo = { 1024 }
>>>>    * define foo = *
>>>
>>> Yes I am looking to the report and why current version fails when the jump is to a non-base chain because I tested that some months ago.
>>>
>>> I will catch up with more details in a few hours. Sorry for the inconveniences.
>>
>> Fernando, in case Pablos patch v2 fixes the reported bug, could you
>> followup with a test case?  It would help when someone tries to remove
>> "unneeded code" in the future ;-)

I have been taking a look to the shell tests and we already have some
tests that cover these cases "tests/shell/testcases/chains/0001jumps_0",
"tests/shell/testcases/nft-f/0018jump_variable_0",
"tests/shell/testcases/nft-f/0019jump_variable_1",
"tests/shell/testcases/nft-f/0020jump_variable_1".

Also I have tested Pablo's v2 patch and it works fine for me.

I would like to know how could I prevent this kind of situations in the
future. Is there a way to automatically test your patch with other
relevant kernel versions?

Thanks! :-)

> 
> I'm not sure it's worth a test for this unlikely corner case.
> 
> There are thousands of paths where we're not performing strict
> expression validation as in this case... and if you really want to get
> this right.
>