netfilter buglog - Oct 2016 - [Bug 1092] New: nft v0.6 segfault in must_print_eq_op at expression.c:520 during 'nft monitor trace' in netdev filter

https://bugzilla.netfilter.org/show_bug.cgi?id=1092

            Bug ID: 1092
           Summary: nft v0.6 segfault in must_print_eq_op at
                    expression.c:520 during 'nft monitor trace' in
netdev
                    filter
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sverd.johnsen+nf at gmail.com

table netdev filter {
  chain foobar {
  type filter hook ingress device eth0 priority 0;
  udp sport 53 meta nftrace set 1
  }
}

Reading symbols from /usr/bin/nft...done.
[New LWP 11571]
Core was generated by `nft monitor trace'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000047a69fce5a in must_print_eq_op (expr=0x47a8a13610,
expr=0x47a8a13610) at expression.c:520
520     expression.c: No such file or directory.
(gdb) bt full
#0  0x00000047a69fce5a in must_print_eq_op (expr=0x47a8a13610,
expr=0x47a8a13610) at expression.c:520
No locals.
#1  binop_expr_print (expr=0x47a8a13610) at expression.c:532
No locals.
#2  0x00000047a6a05888 in trace_print_packet (nlt=nlt at entry=0x47a8a22050) at
netlink.c:2380
        stmts = {next = 0x47a8a0cc90, prev = 0x47a8a12a90}
        pctx = {pbase = PROTO_BASE_INVALID, pdep = 0x0, prev = 0x0}
        ctx = {family = 5, protocol = {{location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0, offset = 0},
{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc
0x47a6c3eda0 <proto_netdev>, offset = 0}, {location = {
                indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc 0x0,
offset = 0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle 0x0}}},
desc = 0x0, offset = 0}}}
        dev_type = <optimized out>
        nfproto = <optimized out>
        stmt = 0x47a8a0cc90
        next = 0x47a8a13c40
#3  0x00000047a6a07b66 in netlink_events_trace_cb (monh=0x3cc19177bd0, type=17,
nlh=0x3cc19166b30) at netlink.c:2405
        nlt = 0x47a8a22050
#4  netlink_events_cb (nlh=nlh at entry=0x3cc19166b30,
data=data at entry=0x3cc19177bd0) at netlink.c:2464
        ret = 1
        type = 17
        monh = 0x3cc19177bd0
#5  0x000003c19109b490 in __mnl_cb_run (cb_ctl_array_len=0, cb_ctl_array=0x0,
data=0x3cc19177bd0, cb_data=0x47a6a07530 <netlink_events_cb>, portid=0,
seq=0,
numbytes=420899556, buf=0x3cc19166ad0) at callback.c:78
        ret = 1
        len = 176
        nlh = 0x3cc19166b30
#6  mnl_cb_run (buf=buf at entry=0x3cc19166b30, numbytes=numbytes at entry=176,
seq=seq at entry=0, portid=portid at entry=0, cb_data=cb_data at
entry=0x47a6a07530
<netlink_events_cb>, data=data at entry=0x3cc19177bd0) at callback.c:162
No locals.
#7  0x00000047a6a1483b in mnl_nft_event_listener (nf_sock=0x47a8a0f6f0,
cb=cb at entry=0x47a6a07530 <netlink_events_cb>,
cb_data=cb_data at entry=0x3cc19177bd0) at mnl.c:1021
        bufsiz = 16777216
        buf = <error reading variable buf (value requires 69631 bytes, which
is
more than max-value-size)>
        ret = 176
#8  0x00000047a6a09989 in netlink_monitor
(monhandler=monhandler at entry=0x3cc19177bd0) at netlink.c:2483
No locals.
#9  0x00000047a69f913a in do_command_monitor (cmd=<optimized out>,
ctx=0x3cc19177c70) at rule.c:1327
        t = <optimized out>
        s = <optimized out>
        monhandler = {monitor_flags = 131437, format = 0, ctx = 0x3cc19177c70,
loc = 0x47a8a0c4e0, cache_needed = true}
#10 do_command (ctx=0x3cc19177c70, cmd=<optimized out>) at rule.c:1358
        __PRETTY_FUNCTION__ = "do_command"
#11 0x00000047a69f657a in nft_netlink (msgs=0x3cc19177d10, state=0x3cc19177d20)
at main.c:194
        ctx = {msgs = 0x3cc19177d10, list = {next = 0x3cc19177c78, prev
0x3cc19177c78}, set = 0x0, data = 0x47a8a0c910, seqnum = 4, batch_supported
true}
        err = <optimized out>
        tmp = <optimized out>
        err_list = {next = 0x3cc19177c60, prev = 0x3cc19177c60}
        batch_seqnum = 3
        batch_supported = true
        ret = 0
        cmd = 0x47a8a0c4d0
#12 nft_run (scanner=<optimized out>, state=0x3cc19177d20,
msgs=0x3cc19177d10)
at main.c:236
---Type <return> to continue, or q <return> to quit---
        cmd = <optimized out>
        next = <optimized out>
        ret = <optimized out>
#13 0x00000047a69f5fa6 in main (argc=3, argv=0x3cc19178558) at main.c:361
        state = {indesc = 0x42419177cd0, indescs = {{location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, type = INDESC_BUFFER, name
0x47a6a2381c "<cmdline>", {data = 0x47a8a0c320 "monitor
trace", fd -1465859296}, lineno = 1, column = 15, token_offset = 13,
line_offset = 0},
{location = {indesc = 0x0, {{token_offset = 0, 
                    line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, type = INDESC_INVALID, name
= 0x0, {data = 0x0, fd = 0}, lineno = 0, column = 0, token_offset = 0,
line_offset = 0} <repeats 15 times>}, indesc_idx = 0, msgs =
0x3cc19177d10,
nerrs = 0, top_scope = {parent = 0x0, symbols = {next = 0x3cc191782c8, prev
0x3cc191782c8}}, scopes = {0x3cc191782c0, 0x0,
            0x0}, scope = 0, cmds = {next = 0x47a8a0c4d0, prev = 0x47a8a0c4d0},
ectx = {msgs = 0x3cc19177d10, cmd = 0x47a8a0c4d0, table = 0x0, rule = 0x0, set
= 0x0, stmt = 0x0, ectx = {dtype = 0x0, byteorder = BYTEORDER_INVALID, len 0},
pctx = {family = 0, protocol = {{location = {indesc = 0x0, {{token_offset 0,
line_offset = 0, first_line = 0, last_line = 0, first_column = 0,
last_column = 0}, {nle = 0x0}}}, 
                  desc = 0x0, offset = 0}, {location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0, offset = 0},
{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0,
offset = 0}, {location = {indesc = 0x0, {{
                        token_offset = 0, line_offset = 0, first_line = 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0,
offset = 0}}}}}
        scanner = 0x47a8a0c340
        msgs = {next = 0x3cc19177d10, prev = 0x3cc19177d10}
        buf = 0x47a8a0c320 "monitor trace"
        filename = 0x0
        len = <optimized out>
        interactive = false
        i = <optimized out>
        val = <optimized out>
        rc = 0





dig any crash.me.if.you.can

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161020/ff5723de/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1092

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de
             Status|NEW                         |ASSIGNED
           Assignee|pablo at netfilter.org         |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
Thanks, its caused by lack of proto_netdev handling in trace_print_packet().
I'll fix this tomorrow.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161020/885182d0/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1092

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from Florian Westphal <fw at strlen.de> ---
Fixed via
http://git.netfilter.org/nftables/commit/?id=9604b087a97d58822b4e72676dea429304561c44
, thanks for reporting this bug.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161021/945a7a7f/attachment.html>