From 21d7fa6f6a40d56c5c23eedd6ddb6a411fb8e62b Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 21 Feb 2023 19:50:41 +0100 Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 Upstream Status: nftables commit 1344d9e53ba4d commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683 Author: Phil Sutter Date: Tue Feb 21 18:36:01 2023 +0100 netlink_delinearize: Sanitize concat data element decoding The call to netlink_get_register() might return NULL, catch this before dereferencing the pointer. Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element") Signed-off-by: Phil Sutter Acked-by: Florian Westphal Signed-off-by: Phil Sutter --- src/netlink_delinearize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index e9e0845..cadb8ec 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); expr_data = netlink_get_register(ctx, loc, sreg_data); - if (expr_data->len < set->data->len) { + if (expr_data && expr_data->len < set->data->len) { expr_free(expr_data); expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); if (expr_data == NULL) -- 2.41.0.rc1