netfilter buglog - Jul 2020 - [Bug 1444] New: nftables-0.9.6 crashes on some set notations:

https://bugzilla.netfilter.org/show_bug.cgi?id=1444

            Bug ID: 1444
           Summary: nftables-0.9.6 crashes on some set notations:
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: slyfox at inbox.ru

Small reproducer:

$ cat a.nft
    flush ruleset

    table inet filter {
        chain foo {
            udp dport { 53 } counter accept
        }
    }

    list ruleset

$ ./src/nft -c -f a.nft
table inet filter {
        chain foo {
                meta l4proto udp udp dport Segmentation fault (core dumped)

$ gdb --quiet
/tmp/portage/net-firewall/nftables-0.9.6/work/nftables-0.9.6/src/.libs/nft
core.80359
Reading symbols from
/tmp/portage/net-firewall/nftables-0.9.6/work/nftables-0.9.6/src/.libs/nft...
[New LWP 80359]
Core was generated by
`/tmp/portage/net-firewall/nftables-0.9.6/work/nftables-0.9.6/src/.libs/nft -c
-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f30cec3bfe2 in expr_ops (e=0x0) at expression.c:1366
1366            return __expr_ops_by_type(e->etype);
(gdb) bt
#0  0x00007f30cec3bfe2 in expr_ops (e=0x0) at expression.c:1366
#1  0x00007f30cec393a8 in expr_print (expr=0x0, octx=0x55637f6e52c0) at
expression.c:101
#2  0x00007f30cec3b84f in set_ref_expr_print (expr=0x55637f6eb980,
octx=0x55637f6e52c0) at expression.c:1195
#3  0x00007f30cec393d1 in expr_print (expr=0x55637f6eb980, octx=0x55637f6e52c0)
at expression.c:104
#4  0x00007f30cec3a5d4 in binop_arg_print (op=0x55637f6ebb50,
arg=0x55637f6eb980, octx=0x55637f6e52c0) at expression.c:612
#5  0x00007f30cec3a72c in binop_expr_print (expr=0x55637f6ebb50,
octx=0x55637f6e52c0) at expression.c:637
#6  0x00007f30cec393d1 in expr_print (expr=0x55637f6ebb50, octx=0x55637f6e52c0)
at expression.c:104
#7  0x00007f30cec334e0 in expr_stmt_print (stmt=0x55637f6ebbe0,
octx=0x55637f6e52c0) at statement.c:72
#8  0x00007f30cec2c5db in rule_print (rule=0x55637f6ebe10, octx=0x55637f6e52c0)
at rule.c:655
#9  0x00007f30cec2dac0 in chain_print (chain=0x55637f6eb630,
octx=0x55637f6e52c0) at rule.c:1221
#10 0x00007f30cec2e50e in table_print (table=0x55637f6eb3d0,
octx=0x55637f6e52c0) at rule.c:1387
#11 0x00007f30cec2f981 in do_list_table (ctx=0x7fff2a98d110,
cmd=0x55637f6ec290, table=0x55637f6eb3d0) at rule.c:1770
#12 0x00007f30cec31ce3 in do_list_ruleset (ctx=0x7fff2a98d110,
cmd=0x55637f6ec290) at rule.c:2405
#13 0x00007f30cec32289 in do_command_list (ctx=0x7fff2a98d110,
cmd=0x55637f6ec290) at rule.c:2527
#14 0x00007f30cec32bc4 in do_command (ctx=0x7fff2a98d110, cmd=0x55637f6ec290)
at rule.c:2753
#15 0x00007f30cec6faf5 in nft_netlink (nft=0x55637f6e52a0, cmds=0x7fff2a98d1c0,
msgs=0x7fff2a98d1b0, nf_sock=0x55637f6e5f30) at libnftables.c:42
#16 0x00007f30cec70c81 in nft_run_cmd_from_filename (nft=0x55637f6e52a0,
filename=0x7fff2a98eb59 "a.nft") at libnftables.c:512
#17 0x000055637e892f41 in main (argc=4, argv=0x7fff2a98d348) at main.c:459

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200719/890d3bb1/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1444

--- Comment #1 from Sergei Trofimovich <slyfox at inbox.ru> ---
valgrind also reports first out-of-bounds read in the same backtrace:

==80425== Invalid read of size 1
==80425==    at 0x486BFE2: expr_ops (expression.c:1366)
==80425==    by 0x48693A7: expr_print (expression.c:101)
==80425==    by 0x486B84E: set_ref_expr_print (expression.c:1195)
==80425==    by 0x48693D0: expr_print (expression.c:104)
==80425==    by 0x486A5D3: binop_arg_print (expression.c:612)
==80425==    by 0x486A72B: binop_expr_print (expression.c:637)
==80425==    by 0x48693D0: expr_print (expression.c:104)
==80425==    by 0x48634DF: expr_stmt_print (statement.c:72)
==80425==    by 0x485C5DA: rule_print (rule.c:655)
==80425==    by 0x485DABF: chain_print (rule.c:1221)
==80425==    by 0x485E50D: table_print (rule.c:1387)
==80425==    by 0x485F980: do_list_table (rule.c:1770)
==80425==    by 0x4861CE2: do_list_ruleset (rule.c:2405)
==80425==    by 0x4862288: do_command_list (rule.c:2527)
==80425==    by 0x4862BC3: do_command (rule.c:2753)
==80425==    by 0x489FAF4: nft_netlink (libnftables.c:42)
==80425==    by 0x48A0C80: nft_run_cmd_from_filename (libnftables.c:512)
==80425==    by 0x10AF40: main (main.c:459)
==80425==  Address 0x49 is not stack'd, malloc'd or (recently)
free'd

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200719/2ea285c6/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1444

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200826/b1fcf9ae/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1444

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/6c359c02/attachment.html>