nft: fix crash when getprotobynumber() returns 0

This needs to first check if pent is NULL.

Signed-off-by: Florian Westphal <fw@strlen.de>

2 files changed, 17 insertions, 12 deletions

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index b779aef5..26d0d36c 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -460,15 +460,17 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 		const struct protoent *pent =
 			getprotobynumber(cs->fw.ip.proto);
 		char protonum[sizeof("65535")];
+		const char *name = protonum;
 
-		if (!xlate_find_match(cs, pent->p_name)) {
-			snprintf(protonum, sizeof(protonum), "%u",
-				 cs->fw.ip.proto);
-			protonum[sizeof(protonum) - 1] = '\0';
+		snprintf(protonum, sizeof(protonum), "%u",
+			 cs->fw.ip.proto);
+
+		if (!pent || !xlate_find_match(cs, pent->p_name)) {
+			if (pent)
+				name = pent->p_name;
 			xt_xlate_add(xl, "ip protocol %s%s ",
 				   cs->fw.ip.invflags & IPT_INV_PROTO ?
-					"!= " : "",
-				   pent ? pent->p_name : protonum);
+					"!= " : "", name);
 		}
 	}
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 1be49dd3..af525422 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -417,16 +417,19 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 		const struct protoent *pent =
 			getprotobynumber(cs->fw6.ipv6.proto);
 		char protonum[sizeof("65535")];
+		const char *name = protonum;
 
-		if (!xlate_find_match(cs, pent->p_name)) {
-			snprintf(protonum, sizeof(protonum), "%u",
-				 cs->fw6.ipv6.proto);
-			protonum[sizeof(protonum) - 1] = '\0';
+		snprintf(protonum, sizeof(protonum), "%u",
+			 cs->fw6.ipv6.proto);
+
+		if (!pent || !xlate_find_match(cs, pent->p_name)) {
+			if (pent)
+				name = pent->p_name;
 			xt_xlate_add(xl, "meta l4proto %s%s ",
 				   cs->fw6.ipv6.invflags & IP6T_INV_PROTO ?
-					"!= " : "",
-				   pent ? pent->p_name : protonum);
+					"!= " : "", name);
 		}
+
 	}
 
 	xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,