diff options
| author | Florian Westphal <fw@strlen.de> | 2017-02-19 18:19:03 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2017-02-27 17:10:43 +0100 |
| commit | 03f1fc078e67b0137d3885d6701098101932f2d0 (patch) | |
| tree | a83d5afadb2c099712cbd35e28678eb0d7ef5476 /src | |
| parent | 1279f57426c15d8553288629be25fc6c6f897d18 (diff) | |
object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null
If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/object.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/object.c b/src/object.c index 9594d2f..62fa48a 100644 --- a/src/object.c +++ b/src/object.c @@ -83,6 +83,8 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, break; case NFTNL_OBJ_TYPE: obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); + if (!obj->ops) + return; break; case NFTNL_OBJ_FAMILY: obj->family = *((uint32_t *)data); @@ -250,7 +252,8 @@ int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) uint32_t type = ntohl(mnl_attr_get_u32(tb[NFTA_OBJ_TYPE])); obj->ops = nftnl_obj_ops_lookup(type); - obj->flags |= (1 << NFTNL_OBJ_TYPE); + if (obj->ops) + obj->flags |= (1 << NFTNL_OBJ_TYPE); } if (tb[NFTA_OBJ_DATA]) { if (obj->ops) { |