netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute

commit 2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd upstream.

If missing, the memcpy call ends up reading from address zero.

Fixes: c7c94802679cd ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink.c b/src/netlink.c
index cd5ac38ce146320c41cc29999b67b77c852e9344..10f3a901c72e0ef609f77091ee0d8bab68f0068b 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1727,9 +1727,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
                init_list_head(&obj->ct_timeout.timeout_list);
                obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO);
                obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO);
-               memcpy(obj->ct_timeout.timeout,
-                      nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
-                      NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
+               if (nftnl_obj_is_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY))
+                       memcpy(obj->ct_timeout.timeout,
+                              nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
+                              NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
                break;
        case NFT_OBJECT_LIMIT:
                obj->limit.rate =