<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - nft crashes in chain_print_declaration()"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1365">1365</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>nft crashes in chain_print_declaration()
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>slyfox@inbox.ru
</td>
</tr></table>
<p>
<div>
<pre>Here is the minimal crash reproducer:
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
at ../../gmp-6.1.2/mpz/export.c:66
66 zsize = SIZ(z);
(gdb) bt
#0 __gmpz_export (data=0x7ffc919cdd1c, countp=0x7ffc919cdc60, order=-1,
size=4, endian=0, nail=0, z=0x50)
at ../../gmp-6.1.2/mpz/export.c:66
#1 0x00007fc1b9b2e8c4 in __mpz_export_data (data=0x7ffc919cdd1c, op=0x50,
byteorder=BYTEORDER_HOST_ENDIAN,
len=4) at ../../../nftables/src/gmputil.c:109
#2 0x00007fc1b9afa346 in chain_print_declaration (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1110
#3 0x00007fc1b9afa488 in chain_print (chain=0x561fc75ebfe0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1128
#4 0x00007fc1b9afae77 in table_print (table=0x561fc75ebdb0,
octx=0x561fc75eb2c0)
at ../../../nftables/src/rule.c:1295
#5 0x00007fc1b9afc04d in do_list_table (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500, table=0x561fc75ebdb0)
at ../../../nftables/src/rule.c:1645
#6 0x00007fc1b9afe014 in do_list_ruleset (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2208
#7 0x00007fc1b9afe5bc in do_command_list (ctx=0x7ffc919cdfe0,
cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2330
#8 0x00007fc1b9afef56 in do_command (ctx=0x7ffc919cdfe0, cmd=0x561fc75ec500)
at ../../../nftables/src/rule.c:2572
#9 0x00007fc1b9b363e2 in nft_netlink (nft=0x561fc75eb2a0, cmds=0x7ffc919ce090,
msgs=0x7ffc919ce080,
nf_sock=0x561fc75ebc30) at ../../../nftables/src/libnftables.c:42
#10 0x00007fc1b9b3754a in nft_run_cmd_from_filename (nft=0x561fc75eb2a0,
filename=0x7ffc919cecff "./nft.ruleset") at
../../../nftables/src/libnftables.c:508
#11 0x0000561fc5f6e70e in main (argc=4, argv=0x7ffc919ce1f8) at
../../../nftables/src/main.c:328
valgrind says it's a NULL dereference:
$ valgrind --quiet nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
==214535== Invalid read of size 4
==214535== at 0x49DF288: __gmpz_export (export.c:66)
==214535== by 0x48908C3: __mpz_export_data (gmputil.c:109)
==214535== by 0x485C345: chain_print_declaration (rule.c:1110)
==214535== by 0x485C487: chain_print (rule.c:1128)
==214535== by 0x485CE76: table_print (rule.c:1295)
==214535== by 0x485E04C: do_list_table (rule.c:1645)
==214535== by 0x4860013: do_list_ruleset (rule.c:2208)
==214535== by 0x48605BB: do_command_list (rule.c:2330)
==214535== by 0x4860F55: do_command (rule.c:2572)
==214535== by 0x48983E1: nft_netlink (libnftables.c:42)
==214535== by 0x4899549: nft_run_cmd_from_filename (libnftables.c:508)
==214535== by 0x10970D: main (main.c:328)
==214535== Address 0x54 is not stack'd, malloc'd or (recently) free'd</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>