[PATCH] rule: fix NULL pointer dereference in do_list_flowtable

[PATCH] rule: fix NULL pointer dereference in do_list_flowtable

[Anton Moryakov]

Static analysis found a potential NULL pointer dereference in
do_command_list() when handling CMD_OBJ_FLOWTABLE.

If cmd->handle.table.name is not specified, the table pointer remains
NULL after the cache lookup block. However, do_list_flowtable() expects
a valid table pointer and dereferences it via ft_cache_find().

This is inconsistent with other object types (CMD_OBJ_SET, CMD_OBJ_CHAIN,
etc.) which require a valid table for single-object listing.

Add a NULL check before calling do_list_flowtable() to prevent the
potential crash and return ENOENT error, consistent with existing
error handling patterns.

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
---
 src/rule.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 8f8b77f1..0c3372ba 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2655,6 +2655,10 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
 	case CMD_OBJ_TUNNELS:
 		return do_list_obj(ctx, cmd, NFT_OBJECT_TUNNEL);
 	case CMD_OBJ_FLOWTABLE:
+	    if (!table) {
+        	errno = ENOENT;
+        	return -1;
+    	}
 		return do_list_flowtable(ctx, cmd, table);
 	case CMD_OBJ_FLOWTABLES:
 		return do_list_flowtables(ctx, cmd);
-- 
2.39.2

Re: [PATCH] rule: fix NULL pointer dereference in do_list_flowtable

[Florian Westphal]

Anton Moryakov <ant.v.moryakov@gmail.com> wrote:
> Static analysis found a potential NULL pointer dereference in
> do_command_list() when handling CMD_OBJ_FLOWTABLE.
> 
> If cmd->handle.table.name is not specified, the table pointer remains
> NULL after the cache lookup block. However, do_list_flowtable() expects
> a valid table pointer and dereferences it via ft_cache_find().

Not following, table is never NULL in the function:

static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
{
	struct table *table = NULL; [..]

	if (cmd->handle.table.name != NULL) {
		table = table_cache_find(&ctx->nft->cache.table_cache,
					 cmd->handle.table.name,
					 cmd->handle.family);
		if (!table) {
			errno = ENOENT;
			return -1;
		}
	}

	switch (cmd->obj) {
[..]
	case CMD_OBJ_FLOWTABLE:
		return do_list_flowtable(ctx, cmd, table);

This has been the case for almost a year:

commit 853d3a2d3cbdc7aab16d3d33999d00b32a6db7ce
Date:   Thu Mar 20 14:31:42 2025 +0100
rule: return error if table does not exist

Re: [PATCH] rule: fix NULL pointer dereference in do_list_flowtable

[Pablo Neira Ayuso]

On Thu, Mar 05, 2026 at 03:04:52PM +0100, Florian Westphal wrote:
> Anton Moryakov <ant.v.moryakov@gmail.com> wrote:
> > Static analysis found a potential NULL pointer dereference in
> > do_command_list() when handling CMD_OBJ_FLOWTABLE.
> > 
> > If cmd->handle.table.name is not specified, the table pointer remains
> > NULL after the cache lookup block. However, do_list_flowtable() expects
> > a valid table pointer and dereferences it via ft_cache_find().
> 
> Not following, table is never NULL in the function:

Yes, static analysis keeps coming here with this.

Maybe add assert(table) to give them a hint so this is not reported
again.

> static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
> {
> 	struct table *table = NULL; [..]
> 
> 	if (cmd->handle.table.name != NULL) {
> 		table = table_cache_find(&ctx->nft->cache.table_cache,
> 					 cmd->handle.table.name,
> 					 cmd->handle.family);
> 		if (!table) {
> 			errno = ENOENT;
> 			return -1;
> 		}
> 	}
> 
> 	switch (cmd->obj) {
> [..]
> 	case CMD_OBJ_FLOWTABLE:
> 		return do_list_flowtable(ctx, cmd, table);
> 
> This has been the case for almost a year:
> 
> commit 853d3a2d3cbdc7aab16d3d33999d00b32a6db7ce
> Date:   Thu Mar 20 14:31:42 2025 +0100
> rule: return error if table does not exist
>