bugzilla-daemon at netfilter.org
2019-Aug-27 18:13 UTC
[Bug 1361] New: nft segfault on overlapping intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1361
Bug ID: 1361
Summary: nft segfault on overlapping intervals
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: arturo at debian.org
Bug reported in the Debian bug tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932878
Original message follows:
While studying RFC 4890 I ran into parsing problems.
I have narrowed it down to the ruleset below.
Note the typo ("174" should be "147") results in overlapping
intervals
with conflicting verdicts.
I think this should result in an error rather than a segfault.
#!/usr/sbin/nft --file
delete chain inet x y
table inet x {
chain y {
icmpv6 type vmap {
144 - 174 : accept,
154 - 199 : drop,
}
}
}
PID: 8941 (nft)
UID: 0 (root)
GID: 0 (root)
Signal: 11 (SEGV)
Timestamp: Wed 2019-07-24 14:37:13 AEST (45s ago)
Command Line: nft --file tmp.nft
Executable: /usr/sbin/nft
Control Group: /user.slice/user-0.slice/session-25.scope
Unit: session-25.scope
Slice: user-0.slice
Session: 25
Owner UID: 0 (root)
Boot ID: d7a30c4dec804cd08fbd79e513dfbc16
Machine ID: ee3c68006daf4086b06772170d63f3f6
Hostname: not-omega
Storage:
/var/lib/systemd/coredump/core.nft.0.d7a30c4dec804cd08fbd79e513dfbc16.8941.1563943033000000.lz4
Message: Process 8941 (nft) of user 0 dumped core.
Stack trace of thread 8941:
#0 0x00007f1d5d9fb39b set_to_intervals (libnftables.so.1)
#1 0x00007f1d5d9dcd2f n/a (libnftables.so.1)
#2 0x00007f1d5d9df2c7 do_command (libnftables.so.1)
#3 0x00007f1d5da02320 n/a (libnftables.so.1)
#4 0x00007f1d5da02cdc nft_run_cmd_from_filename
(libnftables.so.1)
#5 0x00005637f2eaa5f0 main (nft)
#6 0x00007f1d5d73809b __libc_start_main (libc.so.6)
#7 0x00005637f2eaa68a _start (nft)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190827/9e01a4ae/attachment.html>
bugzilla-daemon at netfilter.org
2019-Dec-31 19:56 UTC
[Bug 1361] nft segfault on overlapping intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1361
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191231/1a7ade2e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 22:36 UTC
[Bug 1361] nft segfault on overlapping intervals
https://bugzilla.netfilter.org/show_bug.cgi?id=1361
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Works here:
# nft -f m
m:6:17-25: Error: conflicting intervals specified
144 - 174 : accept,
^^^^^^^^^
m:5:30-13: Error: Could not process rule: File exists
icmpv6 type vmap {
Fixed by:
http://git.netfilter.org/nftables/commit/?id=3e7dad95af69bde12f22af5b1a2bc860ab3da417
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/b65757e5/attachment.html>