]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
payload: return early if dependency is not a payload expression
authorFlorian Westphal <fw@strlen.de>
Tue, 25 Feb 2025 20:13:33 +0000 (21:13 +0100)
committerFlorian Westphal <fw@strlen.de>
Tue, 25 Feb 2025 23:51:41 +0000 (00:51 +0100)
 if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)

is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.

The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.

Fixes: 533565244d88 ("payload: check icmp dependency before removing previous icmp expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/payload.c

index eadc92efc0d7fbcc1ee2e6b01cbf61a27c10056c..866cd9bc2b052ad59d9db296b5c42a3c4e4efe78 100644 (file)
@@ -893,7 +893,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
        if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
                return true;
 
-       if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+       if (dep->left->etype != EXPR_PAYLOAD ||
+           dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
                return true;
 
        if (dep->left->payload.desc == &proto_icmp)