[PATCH iptables 2/8] nft: fix crash when getprotobynumber() returns 0

Florian Westphal <fw@xxxxxxxxx> · Fri, 13 Apr 2018 20:08:42 +0200

This needs to first check if pent is NULL.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 iptables/nft-ipv4.c | 14 ++++++++------
 iptables/nft-ipv6.c | 15 +++++++++------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index b779aef5c086..26d0d36c4749 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -460,15 +460,17 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 		const struct protoent *pent =
 			getprotobynumber(cs->fw.ip.proto);
 		char protonum[sizeof("65535")];
+		const char *name = protonum;
 
-		if (!xlate_find_match(cs, pent->p_name)) {
-			snprintf(protonum, sizeof(protonum), "%u",
-				 cs->fw.ip.proto);
-			protonum[sizeof(protonum) - 1] = '\0';
+		snprintf(protonum, sizeof(protonum), "%u",
+			 cs->fw.ip.proto);
+
+		if (!pent || !xlate_find_match(cs, pent->p_name)) {
+			if (pent)
+				name = pent->p_name;
 			xt_xlate_add(xl, "ip protocol %s%s ",
 				   cs->fw.ip.invflags & IPT_INV_PROTO ?
-					"!= " : "",
-				   pent ? pent->p_name : protonum);
+					"!= " : "", name);
 		}
 	}
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 1be49dd30027..af5254226264 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -417,16 +417,19 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 		const struct protoent *pent =
 			getprotobynumber(cs->fw6.ipv6.proto);
 		char protonum[sizeof("65535")];
+		const char *name = protonum;
 
-		if (!xlate_find_match(cs, pent->p_name)) {
-			snprintf(protonum, sizeof(protonum), "%u",
-				 cs->fw6.ipv6.proto);
-			protonum[sizeof(protonum) - 1] = '\0';
+		snprintf(protonum, sizeof(protonum), "%u",
+			 cs->fw6.ipv6.proto);
+
+		if (!pent || !xlate_find_match(cs, pent->p_name)) {
+			if (pent)
+				name = pent->p_name;
 			xt_xlate_add(xl, "meta l4proto %s%s ",
 				   cs->fw6.ipv6.invflags & IP6T_INV_PROTO ?
-					"!= " : "",
-				   pent ? pent->p_name : protonum);
+					"!= " : "", name);
 		}
+
 	}
 
 	xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






