[nft,v2,08/11] src: netlink: remove assertion

Message ID	20191213160345.30057-9-fw@strlen.de
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nft v2 08/11] src: netlink: remove assertion Date: Fri, 13 Dec 2019 17:03:42 +0100 Message-Id: <20191213160345.30057-9-fw@strlen.de> In-Reply-To: <20191213160345.30057-1-fw@strlen.de> References: <20191213160345.30057-1-fw@strlen.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	add typeof keyword \| expand [nft,v2,00/10] add typeof keyword [nft,v2,01/11] parser: add a helper for concat expression handling [nft,v2,02/11] libnftnl: split nft_ctx_new/free [nft,v2,03/11] src: store expr, not dtype to track data in sets [nft,v2,04/11] src: parser: add syntax to provide size of variable-sized data types [nft,v2,05/11] parser: add typeof keyword for declarations [nft,v2,06/11] src: add "typeof" print support [nft,v2,07/11] mnl: round up the map data size too [nft,v2,08/11] src: netlink: remove assertion [nft,v2,09/11] evaluate: print a hint about 'type,width' syntax on 0 keylen [nft,v2,10/11] doc: mention 'typeof' as alternative to 'type' keyword [nft,v2,11/11] tests: add typeof test cases

Message ID

20191213160345.30057-9-fw@strlen.de

State

Changes Requested

Delegated to:

Pablo Neira

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft v2 08/11] src: netlink: remove assertion
Date: Fri, 13 Dec 2019 17:03:42 +0100
Message-Id: <20191213160345.30057-9-fw@strlen.de>
In-Reply-To: <20191213160345.30057-1-fw@strlen.de>
References: <20191213160345.30057-1-fw@strlen.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

add typeof keyword | expand

Commit Message

Florian Westphal Dec. 13, 2019, 4:03 p.m. UTC

This assert can trigger as follows:

set s {
	type integer,8
	elemets = { 1 }
};
vlan id @s accept

reason is that 'vlan id' will store a 16 bit value into the dreg,
so set should use 'integer,16'.

The kernel won't detect this, as the lookup expression will only
verify that it can load one byte from the given register.

This removes the assertion, in case we hit this condition we can just
return without doing any further actions.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_delinearize.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 154353b8161a..6a09bc2013a4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1800,9 +1800,20 @@  static void binop_adjust_one(const struct expr *binop, struct expr *value,
 {
 	struct expr *left = binop->left;
 
-	assert(value->len >= binop->right->len);
-
 	mpz_rshift_ui(value->value, shift);
+
+	/* This will happen when a set has a key that is
+	 * smaller than the amount of bytes loaded by the
+	 * payload/exthdr expression.
+	 *
+	 * This can't happen with normal nft frontend,
+	 * but it can happen with custom clients or with
+	 * nft sets defined via 'type integer,8' and then
+	 * asking "vlan id @myset".
+	 */
+	if (value->len < binop->right->len)
+		return;
+
 	switch (left->etype) {
 	case EXPR_PAYLOAD:
 	case EXPR_EXTHDR:

[nft,v2,08/11] src: netlink: remove assertion

Commit Message

Patch