From 56b231805a97c556c8adc7010e15ef0581dd35e3 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 31 Mar 2025 14:43:34 +0200
Subject: [PATCH] evaluate: fix crash when generating reject statement error

commit 9b7346d1eac2eb90a2baf589affafec5b1a033b6 upstream.

After patch, this gets rejected with:
internal:0:0-0: Error: conflicting protocols specified: ip vs ip6

Without patch, we crash with a NULL dereference: we cannot use
reject.expr->location unconditionally.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 4fca39be..fac1ea16 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3514,6 +3514,18 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	return 0;
 }
 
+static int stmt_reject_error(struct eval_ctx *ctx,
+			     const struct stmt *stmt,
+			     const char *msg)
+{
+	struct expr *e = stmt->reject.expr;
+
+	if (e)
+		return stmt_binary_error(ctx, e, stmt, "%s", msg);
+
+	return stmt_error(ctx, stmt, "%s", msg);
+}
+
 static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 				       struct expr *expr)
 {
@@ -3528,12 +3540,12 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 				return -1;
 			break;
 		case NFT_REJECT_ICMPX_UNREACH:
-			return stmt_binary_error(ctx, stmt->reject.expr, stmt,
+			return stmt_reject_error(ctx, stmt,
 				   "abstracted ICMP unreachable not supported");
 		case NFT_REJECT_ICMP_UNREACH:
 			if (stmt->reject.family == ctx->pctx.family)
 				break;
-			return stmt_binary_error(ctx, stmt->reject.expr, stmt,
+			return stmt_reject_error(ctx, stmt,
 				  "conflicting protocols specified: ip vs ip6");
 		}
 		break;
-- 
2.47.2