ulogd: fix crash when ipv4 packet is truncated

If ipv4 packet is truncated, we should not try to dereference the
iph pointer. Otherwise, if the user add such iptables rules
"-j NFLOG --nflog-size 0", we will dereference the NULL pointer
and crash may happen.

Reported-by: Chris Caputo <ccaputo@alt.net>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/filter/raw2packet/ulogd_raw2packet_BASE.c b/filter/raw2packet/ulogd_raw2packet_BASE.c
index 8a6180c935022c9c0b7e35b3006ba0e9d54c4993..fd2665aac01e1c30c65aa23065628a9adfa431d3 100644 (file)
--- a/filter/raw2packet/ulogd_raw2packet_BASE.c
+++ b/filter/raw2packet/ulogd_raw2packet_BASE.c
@@ -717,7 +717,7 @@ static int _interp_iphdr(struct ulogd_pluginstance *pi, uint32_t len)
        struct ulogd_key *ret = pi->output.keys;
        struct iphdr *iph =
                ikey_get_ptr(&pi->input.keys[INKEY_RAW_PCKT]);
-       void *nexthdr = (uint32_t *)iph + iph->ihl;
+       void *nexthdr;
 
        if (len < sizeof(struct iphdr) || len <= (uint32_t)(iph->ihl * 4))
                return ULOGD_IRET_OK;
@@ -734,6 +734,7 @@ static int _interp_iphdr(struct ulogd_pluginstance *pi, uint32_t len)
        okey_set_u16(&ret[KEY_IP_ID], ntohs(iph->id));
        okey_set_u16(&ret[KEY_IP_FRAGOFF], ntohs(iph->frag_off));
 
+       nexthdr = (uint32_t *)iph + iph->ihl;
        switch (iph->protocol) {
        case IPPROTO_TCP:
                _interp_tcp(pi, nexthdr, len);