payload: don't decode past last valid template

When trying to decode payload header fields, be sure to bail out when having exhausted all available templates. Otherwise, we allocate invalid payload expressions (no dataype, header length of 0) and then crash when trying to print them. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2018-02-15 15:26:31 +0100
committer: Florian Westphal <fw@strlen.de> 2018-02-15 17:22:42 +0100
commit: d9428e67fca288e4f34dbb6c0dfe42ebc48c9ad1 (patch)
tree: 0ca58cc750ee549bbe33f5d18e9bbdf064713824 /src
parent: 4ff84696af496c398f7621f65858a0120fc2c596 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/payload.c b/src/payload.c
index 6e762ff3..7ca170ed 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -662,6 +662,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
 
 	for (i = 1; i < array_size(desc->templates); i++) {
 		tmpl = &desc->templates[i];
+
+		if (tmpl->len == 0)
+			break;
+
 		if (tmpl->offset != expr->payload.offset)
 			continue;
author	Florian Westphal <fw@strlen.de>	2018-02-15 15:26:31 +0100
committer	Florian Westphal <fw@strlen.de>	2018-02-15 17:22:42 +0100
commit	d9428e67fca288e4f34dbb6c0dfe42ebc48c9ad1 (patch)
tree	0ca58cc750ee549bbe33f5d18e9bbdf064713824 /src
parent	4ff84696af496c398f7621f65858a0120fc2c596 (diff)