From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Jun 2025 18:17:22 +0000 (+0200)
Subject: netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd;p=thirdparty%2Fnftables.git

netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute

If missing, the memcpy call ends up reading from address zero.

Fixes: c7c94802679cd ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/netlink.c b/src/netlink.c
index be1fefc0..73fe579a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1769,9 +1769,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
 		init_list_head(&obj->ct_timeout.timeout_list);
 		obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO);
 		obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO);
-		memcpy(obj->ct_timeout.timeout,
-		       nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
-		       NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
+		if (nftnl_obj_is_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY))
+			memcpy(obj->ct_timeout.timeout,
+			       nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
+			       NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
 		break;
 	case NFT_OBJECT_LIMIT:
 		obj->limit.rate =