netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt()

With payload_needs_l4csum_update_pseudohdr() unconditionally
dereferencing passed 'desc' parameter and a previous check for it to be
non-NULL, make sure to call the function only if input is sane.

Fixes: 68de70f2b3fc6 ("netlink_linearize: fix IPv6 layer 4 checksum mangling")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 498326d0087a13d8c270e1e5b6cf17c0fc962b55..cb1b7fe1748b204e59d8e4d805fc485c753bc0b7 100644 (file)
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -941,7 +941,7 @@ static void netlink_gen_payload_stmt(struct netlink_linearize_ctx *ctx,
                nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_CSUM_OFFSET,
                                   csum_off / BITS_PER_BYTE);
        }
-       if (expr->payload.base == PROTO_BASE_NETWORK_HDR &&
+       if (expr->payload.base == PROTO_BASE_NETWORK_HDR && desc &&
            payload_needs_l4csum_update_pseudohdr(expr, desc))
                nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS,
                                   NFT_PAYLOAD_L4CSUM_PSEUDOHDR);