[nft,2/4,v2] evaluate: fix a crash if we check the transport protocol

Example:

nft add rule inet filter input meta l4proto udp reject with tcp reset

When we check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
[no changes in v2]

 src/evaluate.c |    7 +++++++
 1 file changed, 7 insertions(+)

On Fri, Oct 17, 2014 at 02:24:35PM +0200, Alvaro Neira Ayuso wrote:
> Example:
> 
> nft add rule inet filter input meta l4proto udp reject with tcp reset
> 
> When we check if the transport protocol is tcp, we use the network context.
> If we don't have this network context, we have a crash.
> 
> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
> ---
> [no changes in v2]
> 
>  src/evaluate.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 4b7bda9..2f71e9b 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
>  	if (desc == NULL)
>  		return 0;
>  
> +	if (base == NULL) {
> +		if (strcmp(desc->name, "tcp") == 0)
> +			return 0;
> +		else
> +			return stmt_error(ctx, stmt,
> +				 "you cannot use tcp reset with this protocol");
> +	}

Can you give a try to this?

        if (base == NULL &&
            ctx->table.handle.family == NFPROTO_INET)
                base = &proto_inet_service;

>  	protonum = proto_find_num(base, desc);
>  	switch (protonum) {
>  	case IPPROTO_TCP:
> -- 
> 1.7.10.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

El 20/10/14 10:59, Pablo Neira Ayuso escribió:
> On Fri, Oct 17, 2014 at 02:24:35PM +0200, Alvaro Neira Ayuso wrote:
>> Example:
>>
>> nft add rule inet filter input meta l4proto udp reject with tcp reset
>>
>> When we check if the transport protocol is tcp, we use the network context.
>> If we don't have this network context, we have a crash.
>>
>> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
>> ---
>> [no changes in v2]
>>
>>   src/evaluate.c |    7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/src/evaluate.c b/src/evaluate.c
>> index 4b7bda9..2f71e9b 100644
>> --- a/src/evaluate.c
>> +++ b/src/evaluate.c
>> @@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
>>   	if (desc == NULL)
>>   		return 0;
>>
>> +	if (base == NULL) {
>> +		if (strcmp(desc->name, "tcp") == 0)
>> +			return 0;
>> +		else
>> +			return stmt_error(ctx, stmt,
>> +				 "you cannot use tcp reset with this protocol");
>> +	}
>
> Can you give a try to this?
>
>          if (base == NULL &&
>              ctx->table.handle.family == NFPROTO_INET)
>                  base = &proto_inet_service;

It works. That was another solution that I thought. But we don't need to 
compare the family because the base can be NULL only with Inet and 
Bridge tables.

>
>>   	protonum = proto_find_num(base, desc);
>>   	switch (protonum) {
>>   	case IPPROTO_TCP:
>> --
>> 1.7.10.4
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Mon, Oct 20, 2014 at 11:40:17AM +0200, Álvaro Neira Ayuso wrote:
> El 20/10/14 10:59, Pablo Neira Ayuso escribió:
> >On Fri, Oct 17, 2014 at 02:24:35PM +0200, Alvaro Neira Ayuso wrote:
> >>Example:
> >>
> >>nft add rule inet filter input meta l4proto udp reject with tcp reset
> >>
> >>When we check if the transport protocol is tcp, we use the network context.
> >>If we don't have this network context, we have a crash.
> >>
> >>Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
> >>---
> >>[no changes in v2]
> >>
> >>  src/evaluate.c |    7 +++++++
> >>  1 file changed, 7 insertions(+)
> >>
> >>diff --git a/src/evaluate.c b/src/evaluate.c
> >>index 4b7bda9..2f71e9b 100644
> >>--- a/src/evaluate.c
> >>+++ b/src/evaluate.c
> >>@@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
> >>  	if (desc == NULL)
> >>  		return 0;
> >>
> >>+	if (base == NULL) {
> >>+		if (strcmp(desc->name, "tcp") == 0)
> >>+			return 0;
> >>+		else
> >>+			return stmt_error(ctx, stmt,
> >>+				 "you cannot use tcp reset with this protocol");
> >>+	}
> >
> >Can you give a try to this?
> >
> >         if (base == NULL &&
> >             ctx->table.handle.family == NFPROTO_INET)
> >                 base = &proto_inet_service;
> 
> It works. That was another solution that I thought. But we don't
> need to compare the family because the base can be NULL only with
> Inet and Bridge tables.

OK, but better you still check for bridge and inet there. We may
introduce changes later on that may easily break this code because of
this assumption.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

El 20/10/14 11:46, Pablo Neira Ayuso escribió:
> On Mon, Oct 20, 2014 at 11:40:17AM +0200, Álvaro Neira Ayuso wrote:
>> El 20/10/14 10:59, Pablo Neira Ayuso escribió:
>>> On Fri, Oct 17, 2014 at 02:24:35PM +0200, Alvaro Neira Ayuso wrote:
>>>> Example:
>>>>
>>>> nft add rule inet filter input meta l4proto udp reject with tcp reset
>>>>
>>>> When we check if the transport protocol is tcp, we use the network context.
>>>> If we don't have this network context, we have a crash.
>>>>
>>>> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
>>>> ---
>>>> [no changes in v2]
>>>>
>>>>   src/evaluate.c |    7 +++++++
>>>>   1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/src/evaluate.c b/src/evaluate.c
>>>> index 4b7bda9..2f71e9b 100644
>>>> --- a/src/evaluate.c
>>>> +++ b/src/evaluate.c
>>>> @@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
>>>>   	if (desc == NULL)
>>>>   		return 0;
>>>>
>>>> +	if (base == NULL) {
>>>> +		if (strcmp(desc->name, "tcp") == 0)
>>>> +			return 0;
>>>> +		else
>>>> +			return stmt_error(ctx, stmt,
>>>> +				 "you cannot use tcp reset with this protocol");
>>>> +	}
>>>
>>> Can you give a try to this?
>>>
>>>          if (base == NULL &&
>>>              ctx->table.handle.family == NFPROTO_INET)
>>>                  base = &proto_inet_service;
>>
>> It works. That was another solution that I thought. But we don't
>> need to compare the family because the base can be NULL only with
>> Inet and Bridge tables.
>
> OK, but better you still check for bridge and inet there. We may
> introduce changes later on that may easily break this code because of
> this assumption.
>

Perfect. That's true. Thanks Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html