[PATCH nft] payload: return early if dependency is not a payload expression

[Florian Westphal <fw@xxxxxxxxx>]

 if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)

is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.

The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/payload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/payload.c b/src/payload.c
index eadc92efc0d7..866cd9bc2b05 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -893,7 +893,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
 	if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
-	if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
+	if (dep->left->etype != EXPR_PAYLOAD ||
+	    dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
 		return true;
 
 	if (dep->left->payload.desc == &proto_icmp)
-- 
2.45.3