[PATCH nft] evaluate: bail out early if referenced set is invalid

Florian Westphal <fw@xxxxxxxxx> · Thu, 3 Apr 2025 15:31:26 +0200

bogon causes:
BUG: Internal error: Unexpected alteration of l4 expressionnft: src/evaluate.c:4112: stmt_evaluate_nat_map: Assertion `0' failed.

After fix:
Error: can not use variable sized data types (invalid) in concat expressions
 typeof numgen inc mod 2 : ip daddr . 0
                           ~~~~~~~~~~~^

This error is emitted during evaluation of the set, so
stmt_evaluate_nat_map is operating on a partially evaluated set.
set->key, set->data etc. may or may not have been evaluated or
could be absent entirely.

Tag set as erronous, then bail out in stmt_evaluate_nat_map,
any errors we could emit here are followup-errors anyway.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/evaluate.c                                       | 12 +++++++++++-
 .../invalid_set_key_stmt_evaluate_nat_map_assert     | 10 ++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert

diff --git a/src/evaluate.c b/src/evaluate.c
index d6bb18ba2aa0..9fd4f6d7ddfa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4273,6 +4273,11 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
 		goto out;
 	}
 
+	if (stmt->nat.addr->mappings->set->errors) {
+		err = -1;
+		goto out;
+	}
+
 	data = stmt->nat.addr->mappings->set->data;
 	if (data->flags & EXPR_F_INTERVAL)
 		stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
@@ -5690,12 +5695,17 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
 
 static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
 {
+	int ret;
+
 	switch (cmd->obj) {
 	case CMD_OBJ_ELEMENTS:
 		return setelem_evaluate(ctx, cmd);
 	case CMD_OBJ_SET:
 		handle_merge(&cmd->set->handle, &cmd->handle);
-		return set_evaluate(ctx, cmd->set);
+		ret = set_evaluate(ctx, cmd->set);
+		if (ret < 0)
+			cmd->set->errors = true;
+		return ret;
 	case CMD_OBJ_SETELEMS:
 		return elems_evaluate(ctx, cmd->set);
 	case CMD_OBJ_RULE:
diff --git a/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert b/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert
new file mode 100644
index 000000000000..d73dce8e5ce1
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/invalid_set_key_stmt_evaluate_nat_map_assert
@@ -0,0 +1,10 @@
+table ip t {
+	map t2 {
+		typeof numgen inc mod 2 : ip daddr . 0
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to numgen inc mod 2 map @t2
+	}
+}
-- 
2.49.0








