diff options
author | Alvaro Neira <alvaroneay@gmail.com> | 2014-10-21 01:29:40 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-21 10:16:40 +0200 |
commit | 17b495957b29e699f59874d1ceca9535921b1a79 (patch) | |
tree | ac63b21f702f85e5b4411cdf3ce3eaafbdbb2e20 /src/evaluate.c | |
parent | 1fe6a5add50d9f81b1a25c9ecb7f7ef4f065ca8c (diff) |
evaluate: reject: fix crash if we have transport protocol conflict from inet
Example:
nft add rule inet filter input meta l4proto udp reject with tcp reset
If we try to check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 1fec1201..ff46fda3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1328,11 +1328,16 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt) const struct proto_desc *desc, *base; struct proto_ctx *pctx = &ctx->pctx; - base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc; desc = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc; if (desc == NULL) return 0; + base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc; + if (base == NULL && + (ctx->pctx.family == NFPROTO_INET || + ctx->pctx.family == NFPROTO_BRIDGE)) + base = &proto_inet_service; + protonum = proto_find_num(base, desc); switch (protonum) { case IPPROTO_TCP: |