src: fix possible null pointer dereference in nft_*_attr_get_*

As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.

This closes netfilter bugzilla #868.

[ I have mangled this patch to solve possible null pointer
  dereference with get operations with rule objects --pablo ]

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 8 insertions, 8 deletions

diff --git a/src/rule.c b/src/rule.c
index 62e3307..d135f38 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -201,22 +201,22 @@ EXPORT_SYMBOL(nft_rule_attr_get_str);
 
 uint32_t nft_rule_attr_get_u32(const struct nft_rule *r, uint16_t attr)
 {
-	uint32_t val = *((uint32_t *)nft_rule_attr_get(r, attr));
-	return val;
+	const uint32_t *val = nft_rule_attr_get(r, attr);
+	return val ? *val : 0;
 }
 EXPORT_SYMBOL(nft_rule_attr_get_u32);
 
 uint64_t nft_rule_attr_get_u64(const struct nft_rule *r, uint16_t attr)
 {
-	uint64_t val = *((uint64_t *)nft_rule_attr_get(r, attr));
-	return val;
+	const uint64_t *val = nft_rule_attr_get(r, attr);
+	return val ? *val : 0;
 }
 EXPORT_SYMBOL(nft_rule_attr_get_u64);
 
 uint8_t nft_rule_attr_get_u8(const struct nft_rule *r, uint16_t attr)
 {
-	uint8_t val = *((uint8_t *)nft_rule_attr_get(r, attr));
-	return val;
+	const uint8_t *val = nft_rule_attr_get(r, attr);
+	return val ? *val : 0;
 }
 EXPORT_SYMBOL(nft_rule_attr_get_u8);
 
diff --git a/src/set.c b/src/set.c
index 74ec1e3..2c6e6a6 100644
--- a/src/set.c
+++ b/src/set.c
@@ -183,8 +183,8 @@ EXPORT_SYMBOL(nft_set_attr_get_str);
 
 uint32_t nft_set_attr_get_u32(struct nft_set *s, uint16_t attr)
 {
-	uint32_t val = *((uint32_t *)nft_set_attr_get(s, attr));
-	return val;
+	const uint32_t *val = nft_set_attr_get(s, attr);
+	return val ? *val : 0;
 }
 EXPORT_SYMBOL(nft_set_attr_get_u32);