if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.
The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.
Fixes: 533565244d88 ("payload: check icmp dependency before removing previous icmp expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
return true;
- if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+ if (dep->left->etype != EXPR_PAYLOAD ||
+ dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
return true;
if (dep->left->payload.desc == &proto_icmp)