Re: [nft PATCH 2/4 v2] evaluate: fix a crash if we check the transport protocol

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Mon, Oct 20, 2014 at 11:40:17AM +0200, Álvaro Neira Ayuso wrote:
> El 20/10/14 10:59, Pablo Neira Ayuso escribió:
> >On Fri, Oct 17, 2014 at 02:24:35PM +0200, Alvaro Neira Ayuso wrote:
> >>Example:
> >>
> >>nft add rule inet filter input meta l4proto udp reject with tcp reset
> >>
> >>When we check if the transport protocol is tcp, we use the network context.
> >>If we don't have this network context, we have a crash.
> >>
> >>Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
> >>---
> >>[no changes in v2]
> >>
> >>  src/evaluate.c |    7 +++++++
> >>  1 file changed, 7 insertions(+)
> >>
> >>diff --git a/src/evaluate.c b/src/evaluate.c
> >>index 4b7bda9..2f71e9b 100644
> >>--- a/src/evaluate.c
> >>+++ b/src/evaluate.c
> >>@@ -1339,6 +1339,13 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
> >>  	if (desc == NULL)
> >>  		return 0;
> >>
> >>+	if (base == NULL) {
> >>+		if (strcmp(desc->name, "tcp") == 0)
> >>+			return 0;
> >>+		else
> >>+			return stmt_error(ctx, stmt,
> >>+				 "you cannot use tcp reset with this protocol");
> >>+	}
> >
> >Can you give a try to this?
> >
> >         if (base == NULL &&
> >             ctx->table.handle.family == NFPROTO_INET)
> >                 base = &proto_inet_service;
> 
> It works. That was another solution that I thought. But we don't
> need to compare the family because the base can be NULL only with
> Inet and Bridge tables.

OK, but better you still check for bridge and inet there. We may
introduce changes later on that may easily break this code because of
this assumption.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html