payload: don't decode past last valid template

When trying to decode payload header fields, be sure to bail out
when having exhausted all available templates.

Otherwise, we allocate invalid payload expressions (no dataype,
header length of 0) and then crash when trying to print them.

Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/payload.c b/src/payload.c
index 6e762ff3dcdb24d58d94fa46421f8a00a06be06a..7ca170edbb6df9a086906cf20d944e5979105249 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -662,6 +662,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
 
        for (i = 1; i < array_size(desc->templates); i++) {
                tmpl = &desc->templates[i];
+
+               if (tmpl->len == 0)
+                       break;
+
                if (tmpl->offset != expr->payload.offset)
                        continue;