From eb4cd8e3b1e46ceeb748bf21f3d958911f19aa42 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 3 Dec 2020 12:14:35 +0100
Subject: [PATCH] imv-scanner: Fix potentially unsafe port filter attribute
 destruction

DESTROY_IF() checks if the given value is not NULL, before calling
destroy() on it, which does not work for sub-structs.  If
port_filter_attr is NULL, this could crash.
---
 .../plugins/imv_scanner/imv_scanner_state.c   | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 2429733a5..5606c3012 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -321,8 +321,12 @@ METHOD(imv_state_t, reset, void,
 
 	this->handshake_state = IMV_SCANNER_STATE_INIT;
 
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
-	this->port_filter_attr = NULL;
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+		this->port_filter_attr = NULL;
+	}
 	this->violating_ports->destroy_function(this->violating_ports, free);
 	this->violating_ports = linked_list_create();
 }
@@ -333,7 +337,11 @@ METHOD(imv_state_t, destroy, void,
 	DESTROY_IF(this->session);
 	DESTROY_IF(this->reason_string);
 	DESTROY_IF(this->remediation_string);
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+	}
 	this->contracts->destroy(this->contracts);
 	this->violating_ports->destroy_function(this->violating_ports, free);
 	free(this);
@@ -354,7 +362,11 @@ METHOD(imv_scanner_state_t, get_handshake_state, imv_scanner_handshake_state_t,
 METHOD(imv_scanner_state_t, set_port_filter_attr, void,
 	private_imv_scanner_state_t *this, ietf_attr_port_filter_t *attr)
 {
-	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	if (this->port_filter_attr)
+	{
+		this->port_filter_attr->pa_tnc_attribute.destroy(
+									&this->port_filter_attr->pa_tnc_attribute);
+	}
 	this->port_filter_attr = attr;
 }
 
-- 
2.47.3