evaluate: fix crash if we add an error format rule

If we add a such nft rule:
  nft add rule filter input ip protocol icmp tcp dport 0

we will always meet the assert condition:
  nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base < (__PROTO_BASE_MAX - 1)' failed.
  Aborted (core dumped)

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/evaluate.c b/src/evaluate.c
index 53f19b29a580c6459ae1b43dc494eeaf8210a63f..c317761fba5136389282c98627a2693903524cd5 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -533,7 +533,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
                list_add_tail(&nstmt->list, &ctx->stmt->list);
        }
 
-       assert(base < PROTO_BASE_MAX);
+       assert(base <= PROTO_BASE_MAX);
        /* This payload and the existing context don't match, conflict. */
        if (ctx->pctx.protocol[base + 1].desc != NULL)
                return 1;