netlink_delinearize: Avoid potential null pointer deref

Phil Sutter says:

As netlink_get_register() may return NULL, we must not pass the returned
data unchecked to expr_set_type() as that will dereference it. Since the
parser has failed at that point anyway, by returning early we can skip
the useless statement allocation that follows in
netlink_parse_ct_stmt().

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1a1cfbded4e1e84c3c2340d34a0bbbc30604b288..cddbfa631686f6de70508e95ee18e92580e1461a 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -428,6 +428,10 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx,
 
        sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG);
        val  = netlink_get_register(ctx, loc, sreg);
+       if (val == NULL)
+               return netlink_error(ctx, loc,
+                                    "payload statement has no expression");
+
        stmt = payload_stmt_alloc(loc, expr, val);
 
        list_add_tail(&stmt->list, &ctx->rule->stmts);
@@ -473,6 +477,9 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
 
        sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG);
        hexpr = netlink_get_register(ctx, loc, sreg);
+       if (hexpr == NULL)
+               return netlink_error(ctx, loc,
+                                    "hash statement has no expression");
 
        seed = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_SEED);
        mod  = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_MODULUS);
@@ -517,6 +524,9 @@ static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx,
 
        sreg = netlink_parse_register(nle, NFTNL_EXPR_META_SREG);
        expr = netlink_get_register(ctx, loc, sreg);
+       if (expr == NULL)
+               return netlink_error(ctx, loc,
+                                    "meta statement has no expression");
 
        key  = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY);
        stmt = meta_stmt_alloc(loc, key, expr);
@@ -562,6 +572,9 @@ static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
 
        sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG);
        expr = netlink_get_register(ctx, loc, sreg);
+       if (expr == NULL)
+               return netlink_error(ctx, loc,
+                                    "ct statement has no expression");
 
        key  = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
        stmt = ct_stmt_alloc(loc, key, expr);