From 17b495957b29e699f59874d1ceca9535921b1a79 Mon Sep 17 00:00:00 2001
From: Alvaro Neira <alvaroneay@gmail.com>
Date: Tue, 21 Oct 2014 01:29:40 +0200
Subject: evaluate: reject: fix crash if we have transport protocol conflict
 from inet

Example:

nft add rule inet filter input meta l4proto udp reject with tcp reset

If we try to check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/evaluate.c b/src/evaluate.c
index 1fec1201..ff46fda3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1328,11 +1328,16 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
 	const struct proto_desc *desc, *base;
 	struct proto_ctx *pctx = &ctx->pctx;
 
-	base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
 	desc = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc;
 	if (desc == NULL)
 		return 0;
 
+	base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
+	if (base == NULL &&
+	    (ctx->pctx.family == NFPROTO_INET ||
+	     ctx->pctx.family == NFPROTO_BRIDGE))
+		base = &proto_inet_service;
+
 	protonum = proto_find_num(base, desc);
 	switch (protonum) {
 	case IPPROTO_TCP:
-- 
cgit v1.2.3