From: Maria Matejka <mq@ucw.cz>
Date: Tue, 27 May 2025 08:44:53 +0000 (+0200)
Subject: Filters: Fix crash on setting link-local gateway with no interface
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36a4b74c1195b1a7e1630e0afd7b2e3c60d7aab1;p=thirdparty%2Fbird.git

Filters: Fix crash on setting link-local gateway with no interface

When refactoring nexthop data structures to eattrs,
we missed that we are dereferencing an interface pointer
from a possibly invalid memory.

This fixes #257.
---

diff --git a/filter/f-inst.c b/filter/f-inst.c
index 00d39c39b..aeea55eaf 100644
--- a/filter/f-inst.c
+++ b/filter/f-inst.c
@@ -769,10 +769,11 @@
       case SA_GW:
 	{
 	  struct eattr *nh_ea = ea_find(fs->rte->attrs, &ea_gen_nexthop);
+	  SKIP_BACK_DECLARE(struct nexthop_adata, nhad, ad, nh_ea ? nh_ea->u.ptr : NULL);
+	  struct nexthop *first = NEXTHOP_IS_REACHABLE(nhad) ? &(nhad->nh) : NULL;
 
 	  ip_addr ip = v1.val.ip;
-	  struct iface *ifa = (ipa_is_link_local(ip) && nh_ea) ?
-	    ((struct nexthop_adata *) nh_ea->u.ptr)->nh.iface : NULL;
+	  struct iface *ifa = (ipa_is_link_local(ip) && first) ? first->iface : NULL;
 	  
 	  /* XXX this code supposes that every owner is a protocol XXX */
 	  neighbor *n = neigh_find(SKIP_BACK(struct proto, sources, fs->rte->src->owner), ip, ifa, 0);