netfilter buglog - Dec 2014 - [Bug 990] New: nfct segfault in nfct_helper_free

https://bugzilla.netfilter.org/show_bug.cgi?id=990

            Bug ID: 990
           Summary: nfct segfault in nfct_helper_free
           Product: libnetfilter_cthelper
           Version: unspecified
          Hardware: x86_64
                OS: SuSE Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: libnetfilter_cthelper
          Assignee: pablo at netfilter.org
          Reporter: cshorler at googlemail.com

Created attachment 461
  --> https://bugzilla.netfilter.org/attachment.cgi?id=461&action=edit
move free call to after for loop

I was experimenting with userspace helpers, when running nfct I get a segfault.

GDB session, valgrind output attached.

It looks like it's caused by the free in the for loop (line 118) getting
passed
an invalid pointer (0x45454545....).  The root cause of this seems to be the
position of the function scope free (line 116), moving it to after the loop
seems to resolve the issue (patch attached).


linux-foxtrot:~ # nfct helper list
{
        .name = ftp,
        .queuenum = 0,
        .l3protonum = 2,
        .l4protonum = 6,
        .priv_data_len = 24,
        .status = enabled,
};
Segmentation fault


linux-foxtrot:~ # gdb nfct
(gdb) run helper list
Starting program: /usr/sbin/nfct helper list
{
        .name = ftp,
        .queuenum = 0,
        .l3protonum = 2,
        .l4protonum = 6,
        .priv_data_len = 24,
        .status = enabled,
};

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4545454545454545) at malloc.c:2888
2888      if (chunk_is_mmapped(p))                       /* release mmapped
memory. */
(gdb) bt
#0  __GI___libc_free (mem=0x4545454545454545) at malloc.c:2888
#1  0x00007ffff77cf97f in nfct_helper_free (h=h at entry=0x607030) at
libnetfilter_cthelper.c:119
#2  0x0000000000402fe0 in nfct_helper_cb (nlh=nlh at entry=0x7fffffffc9d0,
data=data at entry=0x0) at nfct-extensions/helper.c:113
#3  0x00007ffff7bd9370 in __mnl_cb_run (cb_ctl_array_len=0, cb_ctl_array=0x0,
data=0x0, cb_data=0x402f80 <nfct_helper_cb>, 
    portid=22283, seq=1418033670, numbytes=4206464, buf=0x7fffffffc9d0) at
callback.c:71
#4  mnl_cb_run (buf=buf at entry=0x7fffffffc9d0, numbytes=numbytes at entry=112,
seq=seq at entry=1418033670, portid=portid at entry=22283, 
    cb_data=cb_data at entry=0x402f80 <nfct_helper_cb>, data=data at
entry=0x0) at
callback.c:155
#5  0x000000000040310a in nfct_cmd_helper_list (argc=argc at entry=3,
argv=argv at entry=0x7fffffffdb28) at nfct-extensions/helper.c:154
#6  0x0000000000403f4a in nfct_cmd_helper_parse_params (argc=argc at entry=3,
argv=argv at entry=0x7fffffffdb28)
    at nfct-extensions/helper.c:71
#7  0x0000000000401eb1 in main (argc=3, argv=0x7fffffffdb28) at nfct.c:77
(gdb) quit
A debugging session is active.

        Inferior 1 [process 22283] will be killed.

Quit anyway? (y or n) y
linux-foxtrot:~ # valgrind --leak-check=full -- nfct helper list
==22322== Memcheck, a memory error detector
==22322== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==22322== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==22322== Command: nfct helper list
==22322== 
{
        .name = ftp,
        .queuenum = 0,
        .l3protonum = 2,
        .l4protonum = 6,
        .priv_data_len = 24,
        .status = enabled,
};
==22322== Invalid read of size 8
==22322==    at 0x523E970: nfct_helper_free (libnetfilter_cthelper.c:118)
==22322==    by 0x402FDF: nfct_helper_cb (helper.c:113)
==22322==    by 0x4E3436F: mnl_cb_run (callback.c:71)
==22322==    by 0x403109: nfct_cmd_helper_list (helper.c:154)
==22322==    by 0x401EB0: main (nfct.c:77)
==22322==  Address 0x59f30b8 is 40 bytes inside a block of size 80 free'd
==22322==    at 0x4C28ADC: free (vg_replace_malloc.c:446)
==22322==    by 0x523E96F: nfct_helper_free (libnetfilter_cthelper.c:116)
==22322==    by 0x402FDF: nfct_helper_cb (helper.c:113)
==22322==    by 0x4E3436F: mnl_cb_run (callback.c:71)
==22322==    by 0x403109: nfct_cmd_helper_list (helper.c:154)
==22322==    by 0x401EB0: main (nfct.c:77)
==22322== 
==22322== 
==22322== HEAP SUMMARY:
==22322==     in use at exit: 0 bytes in 0 blocks
==22322==   total heap usage: 3 allocs, 3 frees, 124 bytes allocated
==22322== 
==22322== All heap blocks were freed -- no leaks are possible
==22322== 
==22322== For counts of detected and suppressed errors, rerun with: -v
==22322== ERROR SUMMARY: 4 errors from 1 contexts (suppressed: 2 from 2)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141208/0f5cff12/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=990

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Looks good.

Could you attach a patch that I can apply with git-am? You can make it with git
format-patch after git commit.

Please, include your Signed-off-by tag as well (git commit -s).

Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141208/d26cdaf4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=990

Chris Horler <cshorler at googlemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #461 is|0                           |1
           obsolete|                            |

--- Comment #2 from Chris Horler <cshorler at googlemail.com> ---
Created attachment 462
  --> https://bugzilla.netfilter.org/attachment.cgi?id=462&action=edit
git formatted patch

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141208/8714ffaa/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=990

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Applied, thanks!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141208/f78d0f4e/attachment.html>