From 03f1fc078e67b0137d3885d6701098101932f2d0 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sun, 19 Feb 2017 18:19:03 +0100
Subject: object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null

If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/object.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/object.c b/src/object.c
index 9594d2f..62fa48a 100644
--- a/src/object.c
+++ b/src/object.c
@@ -83,6 +83,8 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
 		break;
 	case NFTNL_OBJ_TYPE:
 		obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data));
+		if (!obj->ops)
+			return;
 		break;
 	case NFTNL_OBJ_FAMILY:
 		obj->family = *((uint32_t *)data);
@@ -250,7 +252,8 @@ int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj)
 		uint32_t type = ntohl(mnl_attr_get_u32(tb[NFTA_OBJ_TYPE]));
 
 		obj->ops = nftnl_obj_ops_lookup(type);
-		obj->flags |= (1 << NFTNL_OBJ_TYPE);
+		if (obj->ops)
+			obj->flags |= (1 << NFTNL_OBJ_TYPE);
 	}
 	if (tb[NFTA_OBJ_DATA]) {
 		if (obj->ops) {
-- 
cgit v1.2.3