diff options
author | Florian Westphal <fw@strlen.de> | 2018-02-15 15:26:31 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-02-15 17:22:42 +0100 |
commit | d9428e67fca288e4f34dbb6c0dfe42ebc48c9ad1 (patch) | |
tree | 0ca58cc750ee549bbe33f5d18e9bbdf064713824 /src | |
parent | 4ff84696af496c398f7621f65858a0120fc2c596 (diff) |
payload: don't decode past last valid template
When trying to decode payload header fields, be sure to bail out
when having exhausted all available templates.
Otherwise, we allocate invalid payload expressions (no dataype,
header length of 0) and then crash when trying to print them.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/payload.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/payload.c b/src/payload.c index 6e762ff3..7ca170ed 100644 --- a/src/payload.c +++ b/src/payload.c @@ -662,6 +662,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, for (i = 1; i < array_size(desc->templates); i++) { tmpl = &desc->templates[i]; + + if (tmpl->len == 0) + break; + if (tmpl->offset != expr->payload.offset) continue; |