All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nft] payload: return early if dependency is not a payload expression
@ 2025-02-25 20:33 Florian Westphal
  2025-02-25 23:22 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2025-02-25 20:33 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

 if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)

is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.

The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/payload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/payload.c b/src/payload.c
index eadc92efc0d7..866cd9bc2b05 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -893,7 +893,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 	if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
-	if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+	if (dep->left->etype != EXPR_PAYLOAD ||
+	    dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
 	if (dep->left->payload.desc == &proto_icmp)
-- 
2.45.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-02-25 23:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-25 20:33 [PATCH nft] payload: return early if dependency is not a payload expression Florian Westphal
2025-02-25 23:22 ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.