Re: [PATCH nft] evaluate: move interval flag compat check after set key evaluation

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 18 Mar 2025 12:57:31 +0100



On Mon, Mar 17, 2025 at 12:56:36PM +0100, Florian Westphal wrote:
> Without this, included bogon asserts with:
> BUG: unhandled key type 13
> nft: src/intervals.c:73: setelem_expr_to_range: Assertion `0' failed.
> 
> ... because we no longer evaluate set->key/data.
> 
> Move the check to the tail of the function, right before assiging
> set->existing_set, so that set->key has been evaluated.
> 
> Fixes: ceab53cee499 ("evaluate: don't allow merging interval set/map with non-interval one")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>

Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

Thanks

> ---
>  src/evaluate.c                                      |  6 +++---
>  .../invalid_data_expr_type_range_value_2_assert     | 13 +++++++++++++
>  2 files changed, 16 insertions(+), 3 deletions(-)
>  create mode 100644 tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index d59993dcdd4e..f1f7ddaab991 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -5088,9 +5088,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
>  				if (existing_flags == new_flags)
>  					set->flags |= NFT_SET_EVAL;
>  			}
> -
> -			if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
> -				return set_error(ctx, set, "existing %s lacks interval flag", type);
>  		} else {
>  			set_cache_add(set_get(set), table);
>  		}
> @@ -5181,6 +5178,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
>  		return 0;
>  	}
>  
> +	if (existing_set && set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
> +		return set_error(ctx, set, "existing %s lacks interval flag", type);
> +
>  	set->existing_set = existing_set;
>  
>  	return 0;
> diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
> new file mode 100644
> index 000000000000..56f541a61e45
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_2_assert
> @@ -0,0 +1,13 @@
> +table inet t {
> +        map m2 {
> +                typeof udp length . @ih,32,32 : verdict
> +                elements = {
> +                             1-10 . 0xa : drop }
> +        }
> +
> +	map m2 {
> +                typeof udp length . @ih,32,32 : verdict
> +                flags interval
> +                elements = { 20-80 . 0x14 : accept }
> +        }
> +}
> -- 
> 2.48.1
> 
>