evaluate: reject: fix crash if we have transport protocol conflict from inet

Example: nft add rule inet filter input meta l4proto udp reject with tcp reset If we try to check if the transport protocol is tcp, we use the network context. If we don't have this network context, we have a crash. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Alvaro Neira <alvaroneay@gmail.com> 2014-10-21 01:29:40 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-10-21 10:16:40 +0200
commit: 17b495957b29e699f59874d1ceca9535921b1a79 (patch)
tree: ac63b21f702f85e5b4411cdf3ce3eaafbdbb2e20 /src
parent: 1fe6a5add50d9f81b1a25c9ecb7f7ef4f065ca8c (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 1fec1201..ff46fda3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1328,11 +1328,16 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
 	const struct proto_desc *desc, *base;
 	struct proto_ctx *pctx = &ctx->pctx;
 
-	base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
 	desc = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc;
 	if (desc == NULL)
 		return 0;
 
+	base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
+	if (base == NULL &&
+	    (ctx->pctx.family == NFPROTO_INET ||
+	     ctx->pctx.family == NFPROTO_BRIDGE))
+		base = &proto_inet_service;
+
 	protonum = proto_find_num(base, desc);
 	switch (protonum) {
 	case IPPROTO_TCP:
author	Alvaro Neira <alvaroneay@gmail.com>	2014-10-21 01:29:40 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-21 10:16:40 +0200
commit	17b495957b29e699f59874d1ceca9535921b1a79 (patch)
tree	ac63b21f702f85e5b4411cdf3ce3eaafbdbb2e20 /src
parent	1fe6a5add50d9f81b1a25c9ecb7f7ef4f065ca8c (diff)