From df4d342d7618b959d9d2ac87aa70d47049b911bc Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Tue, 11 Jul 2023 11:10:48 +0000 Subject: linux-cp: fix crash on processing dump of routes nl_route_add() recently started to use its optional argument to check whether replace flag is set for the message. When notification messages are processed, the argument is a pointer to the corresponding message info. However, when dump replies are processed, the argument is a null pointer. This leads to null pointer dereference and crash when dump of routes is processed. With this fix, check for replace flag only if message info was passed to nl_route_add(). Otherwise, assume the flag is not set. Dump replies do not have it set. Type: fix Change-Id: Icb04a1146e09cc965b623018c28f91b347be0eab Signed-off-by: Alexander Chernavin --- src/plugins/linux-cp/lcp_nl.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/plugins/linux-cp/lcp_nl.c b/src/plugins/linux-cp/lcp_nl.c index b4fef7e0b40..b548d7afa39 100644 --- a/src/plugins/linux-cp/lcp_nl.c +++ b/src/plugins/linux-cp/lcp_nl.c @@ -205,10 +205,17 @@ nl_route_del (struct rtnl_route *rr, void *arg) static void nl_route_add (struct rtnl_route *rr, void *arg) { - nl_msg_info_t *msg_info = (nl_msg_info_t *) arg; - struct nlmsghdr *nlh = nlmsg_hdr (msg_info->msg); + int is_replace = 0; - FOREACH_VFT_CTX (nvl_rt_route_add, rr, (nlh->nlmsg_flags & NLM_F_REPLACE)); + if (arg) + { + nl_msg_info_t *msg_info = (nl_msg_info_t *) arg; + struct nlmsghdr *nlh = nlmsg_hdr (msg_info->msg); + + is_replace = (nlh->nlmsg_flags & NLM_F_REPLACE); + } + + FOREACH_VFT_CTX (nvl_rt_route_add, rr, is_replace); } static void -- cgit 1.2.3-korg