From patchwork Fri Oct 17 12:24:35 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alvaro Neira X-Patchwork-Id: 400514 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 1726B14009E for ; Fri, 17 Oct 2014 23:24:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751262AbaJQMY1 (ORCPT ); Fri, 17 Oct 2014 08:24:27 -0400 Received: from mail-wg0-f52.google.com ([74.125.82.52]:54881 "EHLO mail-wg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750729AbaJQMY0 (ORCPT ); Fri, 17 Oct 2014 08:24:26 -0400 Received: by mail-wg0-f52.google.com with SMTP id a1so783557wgh.23 for ; Fri, 17 Oct 2014 05:24:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=D9u8BISDIWUdHIUqe8ebA21A1mR9xiqfcj/ELxsFS3w=; b=YWvInCvUT+HRFYSc+TkWS8cld/OJmzTYiqLHqrhy6fcGn3tzY9V7TknKsSWzXfjBz0 2rpeGyHyMs8hwl/QdiVmPuV5ufMv+jc3WqkjVoaM8ph24LI/prvePOZEHSsvNeyqKTFC SX7sN9HH1AVGB4agy97bQ2SUYpb1Bhu+01KiwnVGvNOq7aLLguMbHMVnw5QXq7o6V6Zp O9aZdArNPTWj/ceVBK7/H3/adgR1rVP4PIwIiJK6EOzSItQmEOBjb3oBWVeaZ1FENbuU vH71d/XXbDUPwI/vdRQVlieqN56DnBWakzHrOZJTT4pBiuwu/IkQxq9h8W1NI3uJLJ7V YcBw== X-Received: by 10.194.249.163 with SMTP id yv3mr9529382wjc.91.1413548665217; Fri, 17 Oct 2014 05:24:25 -0700 (PDT) Received: from localhost.localdomain (129.166.216.87.static.jazztel.es. [87.216.166.129]) by mx.google.com with ESMTPSA id hr10sm5492311wib.9.2014.10.17.05.24.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Oct 2014 05:24:24 -0700 (PDT) From: Alvaro Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net Subject: [nft PATCH 2/4 v2] evaluate: fix a crash if we check the transport protocol Date: Fri, 17 Oct 2014 14:24:35 +0200 Message-Id: <1413548677-10287-2-git-send-email-alvaroneay@gmail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1413548677-10287-1-git-send-email-alvaroneay@gmail.com> References: <1413548677-10287-1-git-send-email-alvaroneay@gmail.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Example: nft add rule inet filter input meta l4proto udp reject with tcp reset When we check if the transport protocol is tcp, we use the network context. If we don't have this network context, we have a crash. Signed-off-by: Alvaro Neira Ayuso --- [no changes in v2] src/evaluate.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 4b7bda9..2f71e9b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt) if (desc == NULL) return 0; + if (base == NULL) { + if (strcmp(desc->name, "tcp") == 0) + return 0; + else + return stmt_error(ctx, stmt, + "you cannot use tcp reset with this protocol"); + } protonum = proto_find_num(base, desc); switch (protonum) { case IPPROTO_TCP: