[Bug 1365] New: nft crashes in chain_print_declaration()

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Sep 15 13:21:49 CEST 2019


            Bug ID: 1365
           Summary: nft crashes in chain_print_declaration()
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: slyfox at inbox.ru

Here is the minimal crash reproducer:

$ cat nft.ruleset
    # filters
    table inet filter {
        chain prerouting {
            type filter hook prerouting priority -50

    # dump new state
    list ruleset

$ nft -c -f ./nft.ruleset
    table inet filter {
        chain prerouting {
    Segmentation fault (core dumped)


Program terminated with signal SIGSEGV, Segmentation fault.
#0  __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
    at ../../gmp-6.1.2/mpz/export.c:66
66      zsize = SIZ(z);
(gdb) bt
#0  __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
    at ../../gmp-6.1.2/mpz/export.c:66
#1  0x00007fc1b9b2e8c4 in __mpz_export_data (data=0x7ffc919cdd1c, op=0x50,
    len=4) at ../../../nftables/src/gmputil.c:109
#2  0x00007fc1b9afa346 in chain_print_declaration (chain=0x561fc75ebfe0,
    at ../../../nftables/src/rule.c:1110
#3  0x00007fc1b9afa488 in chain_print (chain=0x561fc75ebfe0,
    at ../../../nftables/src/rule.c:1128
#4  0x00007fc1b9afae77 in table_print (table=0x561fc75ebdb0,
    at ../../../nftables/src/rule.c:1295
#5  0x00007fc1b9afc04d in do_list_table (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500, table=0x561fc75ebdb0)
    at ../../../nftables/src/rule.c:1645
#6  0x00007fc1b9afe014 in do_list_ruleset (ctx=0x7ffc919cdfe0,
    at ../../../nftables/src/rule.c:2208
#7  0x00007fc1b9afe5bc in do_command_list (ctx=0x7ffc919cdfe0,
    at ../../../nftables/src/rule.c:2330
#8  0x00007fc1b9afef56 in do_command (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500)
    at ../../../nftables/src/rule.c:2572
#9  0x00007fc1b9b363e2 in nft_netlink (nft=0x561fc75eb2a0, cmds=0x7ffc919ce090,
    nf_sock=0x561fc75ebc30) at ../../../nftables/src/libnftables.c:42
#10 0x00007fc1b9b3754a in nft_run_cmd_from_filename (nft=0x561fc75eb2a0,
    filename=0x7ffc919cecff "./nft.ruleset") at
#11 0x0000561fc5f6e70e in main (argc=4, argv=0x7ffc919ce1f8) at

valgrind says it's a NULL dereference:

$ valgrind --quiet nft -c -f ./nft.ruleset
table inet filter {
    chain prerouting {
==214535== Invalid read of size 4
==214535==    at 0x49DF288: __gmpz_export (export.c:66)
==214535==    by 0x48908C3: __mpz_export_data (gmputil.c:109)
==214535==    by 0x485C345: chain_print_declaration (rule.c:1110)
==214535==    by 0x485C487: chain_print (rule.c:1128)
==214535==    by 0x485CE76: table_print (rule.c:1295)
==214535==    by 0x485E04C: do_list_table (rule.c:1645)
==214535==    by 0x4860013: do_list_ruleset (rule.c:2208)
==214535==    by 0x48605BB: do_command_list (rule.c:2330)
==214535==    by 0x4860F55: do_command (rule.c:2572)
==214535==    by 0x48983E1: nft_netlink (libnftables.c:42)
==214535==    by 0x4899549: nft_run_cmd_from_filename (libnftables.c:508)
==214535==    by 0x10970D: main (main.c:328)
==214535==  Address 0x54 is not stack'd, malloc'd or (recently) free'd

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190915/83642595/attachment.html>

More information about the netfilter-buglog mailing list