Projects
Mega:24.03:SP1:Everything
nftables
_service:tar_scm:backport-parser_bison-fix-ct-s...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-parser_bison-fix-ct-scope-underflow-if-ct-helper-sec.patch of Package nftables
From 037d58a27d675802286aafb23e409b8c1d3eef56 Mon Sep 17 00:00:00 2001 From: Florian Westphal <fw@strlen.de> Date: Tue, 12 Dec 2023 10:22:58 +0100 Subject: [PATCH] parser_bison: fix ct scope underflow if ct helper section is duplicated table inet filter { ct helper sip-5060u { type "sip" protocol udp l3proto ip }5060t { type "sip" protocol tcp l3pownerip } Will close the 'ct' scope twice, it has to be closed AFTER the separator has been parsed. While not strictly needed, also error out if the protocol is already given, this provides a better error description. Also make sure we release the string in all error branches. Signed-off-by: Florian Westphal <fw@strlen.de> --- src/parser_bison.y | 15 +++++++++++---- .../bogons/nft-f/ct_helper_yystate_underflow | 14 ++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow diff --git a/src/parser_bison.y b/src/parser_bison.y index d13fb961..ce80bcd9 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1971,7 +1971,7 @@ table_block : /* empty */ { $$ = $<table>-1; } list_add_tail(&$4->list, &$1->objs); $$ = $1; } - | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' close_scope_ct stmt_separator + | table_block CT HELPER obj_identifier obj_block_alloc '{' ct_helper_block '}' stmt_separator close_scope_ct { $5->location = @4; $5->type = NFT_OBJECT_CT_HELPER; @@ -1980,7 +1980,7 @@ table_block : /* empty */ { $$ = $<table>-1; } list_add_tail(&$5->list, &$1->objs); $$ = $1; } - | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' close_scope_ct stmt_separator + | table_block CT TIMEOUT obj_identifier obj_block_alloc '{' ct_timeout_block '}' stmt_separator close_scope_ct { $5->location = @4; $5->type = NFT_OBJECT_CT_TIMEOUT; @@ -1989,7 +1989,7 @@ table_block : /* empty */ { $$ = $<table>-1; } list_add_tail(&$5->list, &$1->objs); $$ = $1; } - | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' close_scope_ct stmt_separator + | table_block CT EXPECTATION obj_identifier obj_block_alloc '{' ct_expect_block '}' stmt_separator close_scope_ct { $5->location = @4; $5->type = NFT_OBJECT_CT_EXPECT; @@ -4827,16 +4827,23 @@ ct_l4protoname : TCP close_scope_tcp { $$ = IPPROTO_TCP; } | UDP close_scope_udp { $$ = IPPROTO_UDP; } ; -ct_helper_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator close_scope_type +ct_helper_config : TYPE QUOTED_STRING PROTOCOL ct_l4protoname stmt_separator close_scope_type { struct ct_helper *ct; int ret; ct = &$<obj>0->ct_helper; + if (ct->l4proto) { + erec_queue(error(&@2, "You can only specify this once. This statement is already set for %s.", ct->name), state->msgs); + xfree($2); + YYERROR; + } + ret = snprintf(ct->name, sizeof(ct->name), "%s", $2); if (ret <= 0 || ret >= (int)sizeof(ct->name)) { erec_queue(error(&@2, "invalid name '%s', max length is %u\n", $2, (int)sizeof(ct->name)), state->msgs); + xfree($2); YYERROR; } xfree($2); diff --git a/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow new file mode 100644 index 00000000..18eb25eb --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/ct_helper_yystate_underflow @@ -0,0 +1,14 @@ +table inet filter { + ct helper sip-5060u { + type "sip" protocol udp + l3proto ip + }5060t { + type "sip" protocol tcp + l3pownerip + } + + chain input { + type filtol/dev/stdinok input priority f)lser; policy accept; + ct helper set ip protocol . th dport map { udp . 1-20000 : "si60u", tcp . 10000-20000 : "sip-5060t" } + } +} -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2