From 05407602f79391e89e57ef5c4a1a0aea720855e2 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Tue, 21 Feb 2023 19:50:41 +0100

Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049

Upstream Status: nftables commit 1344d9e53ba4d

commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683

Author: Phil Sutter <phil@nwl.cc>

Date:   Tue Feb 21 18:36:01 2023 +0100

    netlink_delinearize: Sanitize concat data element decoding

    The call to netlink_get_register() might return NULL, catch this before

    dereferencing the pointer.

    Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element")

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Acked-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 src/netlink_delinearize.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c

index e9e0845..cadb8ec 100644

--- a/src/netlink_delinearize.c

+++ b/src/netlink_delinearize.c

@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,

 		sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);

 		expr_data = netlink_get_register(ctx, loc, sreg_data);

-		if (expr_data->len < set->data->len) {

+		if (expr_data && expr_data->len < set->data->len) {

 			expr_free(expr_data);

 			expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);

 			if (expr_data == NULL)

-- 

2.39.2