From: Florian Westphal <fw@strlen.de>
Date: Tue, 25 Feb 2025 20:13:33 +0000 (+0100)
Subject: payload: return early if dependency is not a payload expression
X-Git-Tag: v1.1.2~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=50f45c004adbab6a077609088becf62d2651101f;p=thirdparty%2Fnftables.git

payload: return early if dependency is not a payload expression

 if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)

is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.

The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.

Fixes: 533565244d88 ("payload: check icmp dependency before removing previous icmp expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/payload.c b/src/payload.c
index eadc92ef..866cd9bc 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -893,7 +893,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 	if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
-	if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+	if (dep->left->etype != EXPR_PAYLOAD ||
+	    dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
 	if (dep->left->payload.desc == &proto_icmp)