[Bug 1365] New: nft crashes in chain_print_declaration()
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Sep 15 13:21:49 CEST 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1365
Bug ID: 1365
Summary: nft crashes in chain_print_declaration()
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: slyfox at inbox.ru
Here is the minimal crash reproducer:
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
at ../../gmp-6.1.2/mpz/export.c:66
66 zsize = SIZ(z);
(gdb) bt
#0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
at ../../gmp-6.1.2/mpz/export.c:66
#1 0x00007fc1b9b2e8c4 in __mpz_export_data (data=0x7ffc919cdd1c, op=0x50,
byteorder=BYTEORDER_HOST_ENDIAN,
len=4) at ../../../nftables/src/gmputil.c:109
#2 0x00007fc1b9afa346 in chain_print_declaration (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1110
#3 0x00007fc1b9afa488 in chain_print (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1128
#4 0x00007fc1b9afae77 in table_print (table=0x561fc75ebdb0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1295
#5 0x00007fc1b9afc04d in do_list_table (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500, table=0x561fc75ebdb0)
at ../../../nftables/src/rule.c:1645
#6 0x00007fc1b9afe014 in do_list_ruleset (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2208
#7 0x00007fc1b9afe5bc in do_command_list (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2330
#8 0x00007fc1b9afef56 in do_command (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2572
#9 0x00007fc1b9b363e2 in nft_netlink (nft=0x561fc75eb2a0, cmds=0x7ffc919ce090,
msgs=0x7ffc919ce080,
nf_sock=0x561fc75ebc30) at ../../../nftables/src/libnftables.c:42
#10 0x00007fc1b9b3754a in nft_run_cmd_from_filename (nft=0x561fc75eb2a0,
filename=0x7ffc919cecff "./nft.ruleset") at
../../../nftables/src/libnftables.c:508
#11 0x0000561fc5f6e70e in main (argc=4, argv=0x7ffc919ce1f8) at
../../../nftables/src/main.c:328
valgrind says it's a NULL dereference:
$ valgrind --quiet nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
==214535== Invalid read of size 4
==214535== at 0x49DF288: __gmpz_export (export.c:66)
==214535== by 0x48908C3: __mpz_export_data (gmputil.c:109)
==214535== by 0x485C345: chain_print_declaration (rule.c:1110)
==214535== by 0x485C487: chain_print (rule.c:1128)
==214535== by 0x485CE76: table_print (rule.c:1295)
==214535== by 0x485E04C: do_list_table (rule.c:1645)
==214535== by 0x4860013: do_list_ruleset (rule.c:2208)
==214535== by 0x48605BB: do_command_list (rule.c:2330)
==214535== by 0x4860F55: do_command (rule.c:2572)
==214535== by 0x48983E1: nft_netlink (libnftables.c:42)
==214535== by 0x4899549: nft_run_cmd_from_filename (libnftables.c:508)
==214535== by 0x10970D: main (main.c:328)
==214535== Address 0x54 is not stack'd, malloc'd or (recently) free'd
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/83642595/attachment.html>
More information about the netfilter-buglog
mailing list