bugzilla-daemon at netfilter.org
2019-Jul-21 13:08 UTC
[Bug 1355] New: Error parsing JSON config via a pipe to subprocess's stdin
https://bugzilla.netfilter.org/show_bug.cgi?id=1355 Bug ID: 1355 Summary: Error parsing JSON config via a pipe to subprocess's stdin Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: tad.ashlock at gmail.com Created attachment 566 --> https://bugzilla.netfilter.org/attachment.cgi?id=566&action=edit C++ source file that demonstrates the problem nft versions tested: 0.5, 0.9.0, 0.9.1 Linux kernel versions: 4.15.0 (Ubuntu 16.04.1), 4.14.120 (custom distro) I'm fork-exec'ing "nft -f /dev/stdin", passing the configuration string via a pipe from the parent process. When the configuration string gets larger than 8192 characters, the parser appears to get corrupted at the 8 KiB boundry. (I've also seen it at the 16 KiB boundary, too.) This behavior doesn't happen if I pipe the same configuration in from a shell: "nft -f /dev/stdin <ruleset.txt" works fine. I've attached a C++ source file that demonstrates the problem. The configuration string was carefully crafted to cause the problem I'm seeing. To test that I haven't screwed up the fork-exec pipe to stdin, the demo code also sends the configuration string to 'tee' and 'sed', each of which writes their stdin to a separate file. The configuration string is also directly written to the file 'ruleset.txt' for comparison. Build & run: g++ test.cc -o test --std=c++11 -Wall sudo nft flush ruleset sudo ./test sudo nft list ruleset diff ruleset.txt tee-input.txt diff ruleset.txt sed-input.txt =========== START OF OUTPUT (sudo ./test) =============executing tee #!/usr/sbin/nft -f flush ruleset #234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 [snip] #234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 #23456789012345678901234567890 table ip filter { chain input { type filter hook input priority 0; policy accept; iifname "lo" ip saddr 10.0.0.0/8 tcp dport ssh accept } } executing sed executing nft /dev/stdin:95:42-48: Error: No symbol type information ^^^^^^^ unexpected exit status: 1 =========== END OF OUTPUT ============= If you now add a space character before "dport" in the source code, rebuild, an d rerun, the configuration will be parsed without an error. There's nothing particular about "dport", that's just an arbitrary location I picked. You can add or delete more comment characters to change which character is the 8192nd and the error location will change, along with the type of error. Adding spaces around each 8 KiB boundary of the configuration appears to be work-around for this problem. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190721/62aa5c46/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-21 13:42 UTC
[Bug 1355] Error parsing JSON config via a pipe to subprocess's stdin
https://bugzilla.netfilter.org/show_bug.cgi?id=1355 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|NEW |RESOLVED CC| |fw at strlen.de Assignee|pablo at netfilter.org |fw at strlen.de --- Comment #1 from Florian Westphal <fw at strlen.de> --- (In reply to Tad Ashlock from comment #0)> Created attachment 566 [details] > C++ source file that demonstrates the problem > > nft versions tested: 0.5, 0.9.0, 0.9.1 > Linux kernel versions: 4.15.0 (Ubuntu 16.04.1), 4.14.120 (custom distro) > > I'm fork-exec'ing "nft -f /dev/stdin", passing the configuration string via > a pipe from the parent process. When the configuration string gets larger > than 8192 characters, the parser appears to get corrupted at the 8 KiB > boundry. (I've also seen it at the 16 KiB boundary, too.)Please see if https://patchwork.ozlabs.org/patch/1134523/ resolves your problem, thanks. *** This bug has been marked as a duplicate of bug 1354 *** -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190721/bbf0dd18/attachment.html>
Possibly Parallel Threads
- [Bug 1354] New: cat foo.nft | nft -f - produces syntax error not seen with nft -f foo.nft
- Rhapsody Streaming Music Service with Wine on Fedora
- [Bug 1388] New: Combining --terse with --json has no effect
- [Bug 1463] New: nft --json table list ruleset crashes
- [Bug 1355] New: pointer arithmetic/gcc strict-aliasing warnings