payload: return early if dependency is not a payload expression

commit 50f45c004adbab6a077609088becf62d2651101f upstream.

 if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)

is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.

The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.

Fixes: 533565244d88 ("payload: check icmp dependency before removing previous icmp expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/payload.c b/src/payload.c
index 60c2cf2ce0553c3b09a8f78636576ca4f9403333..180bcab91c7dd52501e2ad557334a73d48b4c8c6 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -822,7 +822,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
        if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
                return true;
 
-       if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+       if (dep->left->etype != EXPR_PAYLOAD ||
+           dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
                return true;
 
        if (dep->left->payload.desc == &proto_icmp)