netfilter buglog - Jun 2016 - [Bug 1072] New: coredump when parsing ip protocol with number > 6

https://bugzilla.netfilter.org/show_bug.cgi?id=1072

            Bug ID: 1072
           Summary: coredump when parsing ip protocol with number > 6
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: frederik.schwan at linux.com

My goal: filter GRE (IP proto 47) traffic

This rule gives me a coredump when I try to load it:
ip protocol 47 ip saddr x.x.x.x accept

All numbers lower than 7 seem to work:
ip protocol 6 ip saddr x.x.x.x accept <- works



debug output:
update network layer protocol context:
 link layer          : inet
 network layer       : ip <-
 transport layer     : none

update network layer protocol context:
 link layer          : inet
 network layer       : ip <-
 transport layer     : none

/etc/nftables.conf:41:29-30: Evaluate
                ip protocol 47 ip saddr x.x.x.x accept
                            ^^
$47

/etc/nftables.conf:41:29-30: Evaluate
                ip protocol 47 ip saddr x.x.x.x accept
                            ^^
gre

[1]    20347 segmentation fault  sudo nft --debug all -f /etc/nftables.conf

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/696994ae/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1072

frederik.schwan at linux.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |frederik.schwan at linux.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/78d72afd/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1072

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to frederik.schwan from comment #0)
> My goal: filter GRE (IP proto 47) traffic
> This rule gives me a coredump when I try to load it:
> ip protocol 47 ip saddr x.x.x.x accept
Thanks, this is a regression from 0.5 when we don't have
the higher-level protocol.

Fix is

diff --git a/src/payload.c b/src/payload.c
--- a/src/payload.c
+++ b/src/payload.c
@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
        base = ctx->protocol[left->payload.base].desc;
        desc = proto_find_upper(base, proto);

+       if (!desc)
+               return;
+
        assert(desc->base <= PROTO_BASE_MAX);
        if (desc->base == base->base) {
                assert(base->length > 0);

I'll send a patch.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/4c04f957/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1072

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please, when pushing this fix upstream, it would be good to add tests to cover
this use case. Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/f506d267/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1072

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160630/8b0e9da3/attachment.html>