bugzilla-daemon at netfilter.org
2018-Feb-01 12:41 UTC
[Bug 1222] New: nft list ruleset – infinite memory use
https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Bug ID: 1222
Summary: nft list ruleset – infinite memory use
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: grawity at gmail.com
When this specific rule is inserted, trying to view it using `nft list ruleset`
causes the nft client to start allocating infinite amounts of RAM:
---
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
---
(The {set} is important – a standalone address doesn't cause this issue.)
nft debug output ends with:
---
...
Evaluate list
list ruleset
^^^^^^^^^^^^^
inet filter input 2
[ ct load l3protocol => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ ct load dst => reg 1 , dir original ]
[ lookup reg 1 set __set0 0x0 ]
[ immediate reg 0 accept ]
<begins eating memory at this point>
---
nftables 0.8.1
libnftnl 1.0.9
linux 4.9.78, 4.13.13
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180201/7dbe4cc2/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-01 12:54 UTC
[Bug 1222] nft list ruleset – infinite memory use
https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Reproducible here.
We're hitting an infinite loop in netlink_parse_concat_expr().
len is never updated, so while (len > 0) always evaluates true.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180201/55fbe2ce/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-01 23:54 UTC
[Bug 1222] nft list ruleset – infinite memory use
https://bugzilla.netfilter.org/show_bug.cgi?id=1222
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
For the record. This fixes the infinite loop.
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 2637f4baaec4..5ad3192a57aa 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -307,7 +307,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx
*ctx,
return netlink_error(ctx, loc,
"Lookup expression has no left hand
side");
- if (left->len < set->key->len) {
+ if (left->len > 0 && left->len <
set->key->len) {
left = netlink_parse_concat_expr(ctx, loc, sreg,
set->key->len);
if (left == NULL)
return;
However, this is still broken with ct saddr and concatenations.
Still considering here where to go with this bug report.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180201/0b050fd5/attachment.html>
bugzilla-daemon at netfilter.org
2018-Feb-02 13:33 UTC
[Bug 1222] nft list ruleset – infinite memory use
https://bugzilla.netfilter.org/show_bug.cgi?id=1222 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- Not definitive solution, but let's just make sure we don't hit this infinite loop. https://patchwork.ozlabs.org/patch/868556/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180202/5474c631/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-16 16:02 UTC
[Bug 1222] nft list ruleset – infinite memory use
https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
CC| |fw at strlen.de
--- Comment #4 from Florian Westphal <fw at strlen.de> ---
(In reply to grawity from comment #0)> When this specific rule is inserted, trying to view it using `nft list
> ruleset` causes the nft client to start allocating infinite amounts of RAM:
>
> ---
> table inet filter {
> chain input {
> ct original ip daddr {1.2.3.4} accept
> }
> }
This is now fixed in nftables git master via
http://git.netfilter.org/nftables/commit/?id=87c0bee7f04917623c35e850ad223222a93520d1
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190716/11331bc5/attachment.html>
Possibly Parallel Threads
- [Bug 1406] New: nft dies with an assertion of consumed > 0
- [Bug 935] New: Frag: problem with frag-off
- [Bug 936] New: frag: "more-fragments" and "reserved" are not identified by nftables
- [Bug 1330] New: Parse error for importing set with netmask
- [Bug 1429] New: Empty file in source directory - 'netlink_delinearize.'