As discovered by Coverity, nf_ct_helper_ext_add may return null, which must then be checked. --- net/netfilter/nft_ct.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 06b52c894573..dd731d5d9fb5 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -1232,6 +1232,10 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, help = nfct_help(ct); if (!help) help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); + if (!help) { + regs->verdict.code = NF_DROP; + return; + } if (help->expecting[NF_CT_EXPECT_CLASS_DEFAULT] >= priv->size) { regs->verdict.code = NFT_BREAK; @@ -1241,7 +1245,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, l3num = nf_ct_l3num(ct); exp = nf_ct_expect_alloc(ct); - if (exp == NULL) { + if (!exp) { regs->verdict.code = NF_DROP; return; } -- 2.21.0