From patchwork Thu Mar  1 14:00:30 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Phil Sutter <phil@nwl.cc>
X-Patchwork-Id: 879883
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=nwl.cc
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3zsYx95Ckpz9s1B
	for <incoming@patchwork.ozlabs.org>;
	Fri,  2 Mar 2018 01:00:45 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1030948AbeCAOAo (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Thu, 1 Mar 2018 09:00:44 -0500
Received: from orbyte.nwl.cc ([151.80.46.58]:53922 "EHLO orbyte.nwl.cc"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1030891AbeCAOAo (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Thu, 1 Mar 2018 09:00:44 -0500
Received: from localhost ([::1]:40966 helo=xsao)
	by orbyte.nwl.cc with esmtp (Exim 4.90_1)
	(envelope-from <phil@nwl.cc>)
	id 1erOlH-0002bx-2N; Thu, 01 Mar 2018 15:00:43 +0100
From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, Laura Garcia Liebana <nevola@gmail.com>
Subject: [nft PATCH 4/6] hash: Fix potential null-pointer dereference in
	hash_expr_cmp()
Date: Thu,  1 Mar 2018 15:00:30 +0100
Message-Id: <20180301140032.20822-5-phil@nwl.cc>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180301140032.20822-1-phil@nwl.cc>
References: <20180301140032.20822-1-phil@nwl.cc>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

The first part of the conditional:

| (e1->hash.expr || expr_cmp(e1->hash.expr, e2->hash.expr))

will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer
dereference. This is probably a typo, the intention when introducing
this was to avoid the call to expr_cmp() for symmetric hash expressions
which don't use expr->hash.expr. Inverting the existence check should
fix this.

Fixes: 3a86406729782 ("src: hash: support of symmetric hash")
Cc: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hash.c b/src/hash.c
index 3355cadd1df2f..e6999637566c3 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -36,7 +36,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx)
 
 static bool hash_expr_cmp(const struct expr *e1, const struct expr *e2)
 {
-	return (e1->hash.expr ||
+	return (!e1->hash.expr ||
 		expr_cmp(e1->hash.expr, e2->hash.expr)) &&
 	       e1->hash.mod == e2->hash.mod &&
 	       e1->hash.seed_set == e2->hash.seed_set &&