linux-cp: fix crash on processing dump of routes

nl_route_add() recently started to use its optional argument to check
whether replace flag is set for the message. When notification messages
are processed, the argument is a pointer to the corresponding message
info. However, when dump replies are processed, the argument is a null
pointer. This leads to null pointer dereference and crash when dump of
routes is processed.

With this fix, check for replace flag only if message info was passed
to nl_route_add(). Otherwise, assume the flag is not set. Dump replies
do not have it set.

Type: fix
Change-Id: Icb04a1146e09cc965b623018c28f91b347be0eab
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/src/plugins/linux-cp/lcp_nl.c b/src/plugins/linux-cp/lcp_nl.c
index b4fef7e0b40..b548d7afa39 100644
--- a/src/plugins/linux-cp/lcp_nl.c
+++ b/src/plugins/linux-cp/lcp_nl.c
@@ -205,10 +205,17 @@ nl_route_del (struct rtnl_route *rr, void *arg)
 static void
 nl_route_add (struct rtnl_route *rr, void *arg)
 {
-  nl_msg_info_t *msg_info = (nl_msg_info_t *) arg;
-  struct nlmsghdr *nlh = nlmsg_hdr (msg_info->msg);
+  int is_replace = 0;
 
-  FOREACH_VFT_CTX (nvl_rt_route_add, rr, (nlh->nlmsg_flags & NLM_F_REPLACE));
+  if (arg)
+    {
+      nl_msg_info_t *msg_info = (nl_msg_info_t *) arg;
+      struct nlmsghdr *nlh = nlmsg_hdr (msg_info->msg);
+
+      is_replace = (nlh->nlmsg_flags & NLM_F_REPLACE);
+    }
+
+  FOREACH_VFT_CTX (nvl_rt_route_add, rr, is_replace);
 }
 
 static void