diff options
author | Phil Sutter <phil@nwl.cc> | 2025-06-12 20:17:22 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-06-19 00:04:39 +0200 |
commit | c6743acc7cd6e10149d32b4755bfde8be6cc6874 (patch) | |
tree | 2400bbcba47dd1a75ad1b6616aa51394562fa857 | |
parent | 0ea7919feb8fe153f072bdaa74f0d9b52cd8361d (diff) |
netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute
commit 2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd upstream.
If missing, the memcpy call ends up reading from address zero.
Fixes: c7c94802679cd ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/netlink.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/netlink.c b/src/netlink.c index cd5ac38c..10f3a901 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1727,9 +1727,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, init_list_head(&obj->ct_timeout.timeout_list); obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO); obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO); - memcpy(obj->ct_timeout.timeout, - nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY), - NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t)); + if (nftnl_obj_is_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY)) + memcpy(obj->ct_timeout.timeout, + nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY), + NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t)); break; case NFT_OBJECT_LIMIT: obj->limit.rate = |