evaluate: reject: fix crash if we have transport protocol conflict from inet

Example:

nft add rule inet filter input meta l4proto udp reject with tcp reset

If we try to check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 1fec1201de9208e6b818a7f2233cd709a1f043a3..ff46fda3f24d69ddb7ac4951b25eba72ed350260 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1328,11 +1328,16 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)
        const struct proto_desc *desc, *base;
        struct proto_ctx *pctx = &ctx->pctx;
 
-       base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
        desc = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc;
        if (desc == NULL)
                return 0;
 
+       base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;
+       if (base == NULL &&
+           (ctx->pctx.family == NFPROTO_INET ||
+            ctx->pctx.family == NFPROTO_BRIDGE))
+               base = &proto_inet_service;
+
        protonum = proto_find_num(base, desc);
        switch (protonum) {
        case IPPROTO_TCP: