When trying to decode payload header fields, be sure to bail out when having exhausted all available templates. Otherwise, we allocate invalid payload expressions (no dataype, header length of 0) and then crash when trying to print them. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- src/payload.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/payload.c b/src/payload.c index 60090accbcd8..63c9f7157e4e 100644 --- a/src/payload.c +++ b/src/payload.c @@ -618,6 +618,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, for (i = 1; i < array_size(desc->templates); i++) { tmpl = &desc->templates[i]; + + if (tmpl->len == 0) + break; + if (tmpl->offset != expr->payload.offset) continue; -- 2.16.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
