Re: [PATCH nft] evaluate: fix crash when set name is null

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 12 Jun 2025 01:29:50 +0200

On Fri, Jun 06, 2025 at 12:41:49PM +0200, Florian Westphal wrote:
> Bogon provides a handle but not a name.

No handle for delete map command:

                        |       SET             set_or_id_spec
                        {
                                $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL);
                        }
                        |       MAP             set_spec
                                                ^^^^^^^^

This is incomplete:

f4a34d25f6d5 ("src: list set handle and delete set via set handle")

but this is also lacking handle support:

745e51d0b8f0 ("evaluate: remove set from cache on delete set command")

Then, reset command parser looks consistent:

83e0f4402fb7 ("Implement 'reset {set,map,element}' commands")

but cmd_evaluate_reset() calls cmd_evaluate_list() which cannot deal
with the handle.

Looking at delete command for other objects, same issue, eg.
chain_del_cache() also does not deal with this handle.

I think the way to go is to add another hashtable to look up for
object handles, I can post a patch for this purpose.

> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  src/cache.c                                            | 3 +++
>  src/evaluate.c                                         | 3 +++
>  tests/shell/testcases/bogons/nft-f/null_set_name_crash | 2 ++
>  3 files changed, 8 insertions(+)
>  create mode 100644 tests/shell/testcases/bogons/nft-f/null_set_name_crash
> 
> diff --git a/src/cache.c b/src/cache.c
> index 3ac819cf68fb..67ba35bee1fa 100644
> --- a/src/cache.c
> +++ b/src/cache.c
> @@ -840,6 +840,9 @@ struct set *set_cache_find(const struct table *table, const char *name)
>  	struct set *set;
>  	uint32_t hash;
>  
> +	if (!name)
> +		return NULL;
> +
>  	hash = djb_hash(name) % NFT_CACHE_HSIZE;
>  	list_for_each_entry(set, &table->set_cache.ht[hash], cache.hlist) {
>  		if (!strcmp(set->handle.set.name, name))
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 9c7f23cb080e..e8e4aa2df4ca 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -284,6 +284,9 @@ static int set_not_found(struct eval_ctx *ctx, const struct location *loc,
>  	const struct table *table;
>  	struct set *set;
>  
> +	if (!set_name)
> +		set_name = "";
> +
>  	set = set_lookup_fuzzy(set_name, &ctx->nft->cache, &table);
>  	if (set == NULL)
>  		return cmd_error(ctx, loc, "%s", strerror(ENOENT));
> diff --git a/tests/shell/testcases/bogons/nft-f/null_set_name_crash b/tests/shell/testcases/bogons/nft-f/null_set_name_crash
> new file mode 100644
> index 000000000000..e5d85b228a84
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/null_set_name_crash
> @@ -0,0 +1,2 @@
> +table y { }
> +reset set y handle 6
> -- 
> 2.49.0
> 
> 