bugzilla-daemon at netfilter.org
2014-Apr-13 07:47 UTC
[Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null
https://bugzilla.netfilter.org/show_bug.cgi?id=915 Summary: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null Product: nftables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: laurent at guerby.net Estimated Hours: 0.0 With latest git libmnl / libnftnl / nftables : root at h7:~# nft add rule filter output @nh,16,4 8.8.8.8 counter Segmentation fault root at h7:~# gdb nft GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /root/test/sbin/nft...done. (gdb) r add rule filter output @nh,16,4 8.8.8.8 counter Starting program: /root/test/sbin/nft add rule filter output @nh,16,4 8.8.8.8 counter warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000 warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? Program received signal SIGSEGV, Segmentation fault. 0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438, expr=0x64c740) at src/evaluate.c:284 284 return expr_error(ctx->msgs, payload, (gdb) bt #0 0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438, expr=0x64c740) at src/evaluate.c:284 #1 0x000000000040f71d in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c740) at src/evaluate.c:1071 #2 0x000000000040ee9d in expr_evaluate_relational (ctx=0x7fffffffe438, expr=0x64c7a8) at src/evaluate.c:874 #3 0x000000000040f81f in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c7a8) at src/evaluate.c:1093 #4 0x000000000040f8a5 in stmt_evaluate_expr (ctx=0x7fffffffe438, stmt=0x64c760) at src/evaluate.c:1102 #5 0x000000000040fc50 in stmt_evaluate (ctx=0x7fffffffe438, stmt=0x64c760) at src/evaluate.c:1198 #6 0x0000000000410017 in rule_evaluate (ctx=0x7fffffffe438, rule=0x64c840) at src/evaluate.c:1283 #7 0x000000000041049e in cmd_evaluate_add (ctx=0x7fffffffe438, cmd=0x64c8d0) at src/evaluate.c:1380 #8 0x000000000041066e in cmd_evaluate (ctx=0x7fffffffe438, cmd=0x64c8d0) at src/evaluate.c:1424 #9 0x0000000000420dfe in nft_parse (scanner=0x64c490, state=0x7fffffffde50) at src/parser.y:573 #10 0x00000000004055cb in nft_run (scanner=0x64c490, state=0x7fffffffde50, msgs=0x7fffffffde40) at src/main.c:221 #11 0x0000000000405a47 in main (argc=8, argv=0x7fffffffe658) at src/main.c:332 (gdb) p payload $1 = (struct expr *) 0x64c5a0 (gdb) p *payload $2 = {list = {next = 0x64c5a0, prev = 0x64c5a0}, location = {indesc 0x7fffffffde58, {{token_offset = 24, line_offset = 0, first_line = 1, last_line = 1, first_column = 24, last_column = 31}, {nle = 0x18}}}, refcnt = 1, flags 0, dtype = 0x42df60 <integer_type>, byteorder = BYTEORDER_INVALID, len = 4, ops = 0x433f00 <payload_expr_ops>, op = OP_INVALID, {{scope = 0x0, identifier 0x42fcf0 <proto_unknown_template> "\332\374B", symtype = SYMBOL_SET}, { verdict = 0, chain = 0x42fcf0 <proto_unknown_template> "\332\374B"}, {value = {{_mp_alloc = 0, _mp_size = 0, _mp_d = 0x42fcf0 <proto_unknown_template>}}}, {prefix = 0x0, prefix_len = 4390128}, {expressions = {next = 0x0, prev = 0x42fcf0 <proto_unknown_template>}, size = 2, set_flags = 16}, {set = 0x0}, {arg = 0x0}, {left = 0x0, right = 0x42fcf0 <proto_unknown_template>}, {map = 0x0, mappings = 0x42fcf0 <proto_unknown_template>}, payload = { desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base PROTO_BASE_NETWORK_HDR, offset = 16}, exthdr = {desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>}, meta = {key = NFT_META_LEN, base PROTO_BASE_INVALID}, ct = { key = NFT_CT_STATE}}} (gdb) p *ctx $3 = {msgs = 0x7fffffffde40, cmd = 0x64c8d0, table = 0x0, set = 0x0, stmt 0x64c760, ectx = {dtype = 0x0, len = 0}, pctx = {family = 2, protocol {{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, { nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x4321a0 <proto_ip>}, {location = { indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0}}}} (gdb) p base $4 = PROTO_BASE_NETWORK_HDR (gdb) p ctx->msgs $5 = (struct list_head *) 0x7fffffffde40 (gdb) p ctx->pctx.protocol $6 = {{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column 0}, { nle = 0x0}}}, desc = 0x4321a0 <proto_ip>}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0}} (gdb) p (int)base $7 = 2 (gdb) p ctx->pctx.protocol[0] $8 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0} (gdb) p ctx->pctx.protocol[1] $9 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0} (gdb) p ctx->pctx.protocol[2] $10 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle 0x0}}}, desc = 0x4321a0 <proto_ip>} (gdb) p ctx->pctx.protocol[2].desc $11 = (const struct proto_desc *) 0x4321a0 <proto_ip> (gdb) p *(ctx->pctx.protocol[2].desc) $12 = {name = 0x432150 "ip", base = PROTO_BASE_NETWORK_HDR, protocol_key = 8, protocols = {{num = 1, desc = 0x430c80 <proto_icmp>}, {num = 50, desc 0x430440 <proto_esp>}, {num = 51, desc = 0x430140 <proto_ah>}, {num = 108, desc = 0x430740 <proto_comp>}, {num = 17, desc = 0x430fa0 <proto_udp>}, {num = 136, desc = 0x4312a0 <proto_udplite>}, {num = 6, desc = 0x4316e0 <proto_tcp>}, {num = 33, desc = 0x431b60 <proto_dccp>}, {num = 132, desc = 0x431e60 <proto_sctp>}, {num = 0, desc = 0x0}, {num = 0, desc 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}}, templates = {{token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token 0x432153 "version", dtype = 0x42df60 <integer_type>, offset = 0, len = 4, meta_key = NFT_META_LEN}, {token = 0x430112 "hdrlength", dtype = 0x42df60 <integer_type>, offset = 4, len = 4, meta_key NFT_META_LEN}, {token = 0x43215b "tos", dtype = 0x42df60 <integer_type>, offset = 8, len = 8, meta_key = NFT_META_LEN}, {token = 0x430f80 "length", dtype = 0x42df60 <integer_type>, offset = 16, len = 16, meta_key NFT_META_LEN}, {token = 0x430c60 "id", dtype = 0x42df60 <integer_type>, offset = 32, len = 16, meta_key = NFT_META_LEN}, {token = 0x43215f "frag-off", dtype = 0x42df60 <integer_type>, offset = 48, len = 16, meta_key NFT_META_LEN}, {token = 0x432168 "ttl", dtype = 0x42df60 <integer_type>, offset = 64, len = 8, meta_key = NFT_META_LEN}, {token = 0x43216c "protocol", dtype = 0x42e220 <inet_protocol_type>, offset = 72, len = 8, meta_key NFT_META_LEN}, {token = 0x430c57 "checksum", dtype = 0x42df60 <integer_type>, offset = 80, len = 16, meta_key = NFT_META_LEN}, {token = 0x432175 "saddr", dtype = 0x42e100 <ipaddr_type>, offset = 96, len = 32, meta_key NFT_META_LEN}, {token = 0x43217b "daddr", dtype = 0x42e100 <ipaddr_type>, offset = 128, len = 32, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}}} (gdb) p payload->payload $13 = {desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base PROTO_BASE_NETWORK_HDR, offset = 16} (gdb) p payload->payload.desc $14 = (const struct proto_desc *) 0x0 } else if (ctx->pctx.protocol[base].desc != payload->payload.desc) return expr_error(ctx->msgs, payload, "conflicting protocols specified: %s vs. %s", ctx->pctx.protocol[base].desc->name, payload->payload.desc->name); Looks like payload->payload.desc can be NULL here hence the segfault. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Aug-20 13:34 UTC
[Bug 915] segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null
https://bugzilla.netfilter.org/show_bug.cgi?id=915 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2014-08-20 15:34:44 CEST --- http://git.netfilter.org/nftables/commit/?id=6f285f202d6c41db1d9071c0964b5d062a522b4e -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Possibly Parallel Threads
- [Bug 1092] New: nft v0.6 segfault in must_print_eq_op at expression.c:520 during 'nft monitor trace' in netdev filter
- Roo gem performance problems
- [threadsafe] Arel ToSql visitor is not threadsafe
- Looking for a special date function in R
- getParseData() for installed packages