From 7fb6387b3c00346a429d291dd057e47c9354e263 Mon Sep 17 00:00:00 2001
From: Timothy Redaelli <tredaelli@redhat.com>
Date: Fri, 24 Feb 2017 11:58:57 +0100
Subject: [PATCH] evaluate: reject: Have a generic fix for missing network
context
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360354
Upstream Status: nftables commit 7241af3
commit 7241af302bbe56908fa87b17799048bfe884e35f
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Aug 30 19:39:51 2016 +0200
evaluate: reject: Have a generic fix for missing network context
Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport
protocol conflict from inet") took care of a crash when using inet or
bridge families, but since then netdev family has been added which also
does not implicitly define the network context. Therefore the crash can
be reproduced again using the following example:
nft add rule netdev filter e1000-ingress \
meta l4proto udp reject with tcp reset
In order to fix this in a more generic way, have stmt_evaluate_reset()
fall back to the generic proto_inet_service irrespective of the actual
proto context.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
---
src/evaluate.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 5e3c158..1b8d565 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2014,9 +2014,7 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
return 0;
base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
- if (base == NULL &&
- (ctx->pctx.family == NFPROTO_INET ||
- ctx->pctx.family == NFPROTO_BRIDGE))
+ if (base == NULL)
base = &proto_inet_service;
protonum = proto_find_num(base, desc);
--
1.8.3.1