From 805fe6f5c9c8f2af78d8e94bd6b5c33724df3c80 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 18 May 2021 18:16:21 +0200 Subject: [PATCH] evaluate: Reject quoted strings containing only wildcard Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1818117 Upstream Status: nftables commit 032c9f745c6da commit 032c9f745c6daab8c27176a95963b1c32b0a5d12 Author: Phil Sutter Date: Thu Sep 24 17:38:45 2020 +0200 evaluate: Reject quoted strings containing only wildcard Fix for an assertion fail when trying to match against an all-wildcard interface name: | % nft add rule t c iifname '"*"' | nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed. | zsh: abort nft add rule t c iifname '"*"' Fix this by detecting the string in expr_evaluate_string() and returning an error message: | % nft add rule t c iifname '"*"' | Error: All-wildcard strings are not supported | add rule t c iifname "*" | ^^^ While being at it, drop the 'datalen >= 1' clause from the following conditional as together with the added check for 'datalen == 0', all possible other values have been caught already. --- src/evaluate.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index a966ed4..0181750 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -321,8 +321,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) return 0; } - if (datalen >= 1 && - data[datalen - 1] == '\\') { + if (datalen == 0) + return expr_error(ctx->msgs, expr, + "All-wildcard strings are not supported"); + + if (data[datalen - 1] == '\\') { char unescaped_str[data_len]; memset(unescaped_str, 0, sizeof(unescaped_str)); -- 2.31.1