summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2025-06-12 20:17:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2025-06-19 00:04:39 +0200
commitc6743acc7cd6e10149d32b4755bfde8be6cc6874 (patch)
tree2400bbcba47dd1a75ad1b6616aa51394562fa857
parent0ea7919feb8fe153f072bdaa74f0d9b52cd8361d (diff)
netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY attribute
commit 2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd upstream. If missing, the memcpy call ends up reading from address zero. Fixes: c7c94802679cd ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/netlink.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/netlink.c b/src/netlink.c
index cd5ac38c..10f3a901 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1727,9 +1727,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
init_list_head(&obj->ct_timeout.timeout_list);
obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO);
obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO);
- memcpy(obj->ct_timeout.timeout,
- nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
- NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
+ if (nftnl_obj_is_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY))
+ memcpy(obj->ct_timeout.timeout,
+ nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY),
+ NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t));
break;
case NFT_OBJECT_LIMIT:
obj->limit.rate =