[Bug 871] New: Running two instances of ulog causes abort in libnfnetlink

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Nov 9 00:23:25 CET 2013 

https://bugzilla.netfilter.org/show_bug.cgi?id=871

           Summary: Running two instances of ulog causes abort in
                    libnfnetlink
           Product: ulogd
           Version: SVN (please provide timestamp)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ulogd
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: bootc at bootc.net
   Estimated Hours: 0.0


ulogd_inppkt_NFLOG.c:start() has a bug in out_bind:

out_bind:
    nflog_close(ui->nful_h);
    if (group_ce(upi->config_kset).u.value == 0) {
        nflog_unbind_pf(ui->nful_h, AF_INET);
        nflog_unbind_pf(ui->nful_h, AF_INET6);
        nflog_unbind_pf(ui->nful_h, AF_BRIDGE);
    }

Essentially, nflog_close() is called first, freeing the nflog handle and all of
its data, *then* nflog_unbind_pf() is called with the freed handle. This causes
use-after-free and NULL pointer dereference in nflog_unbind_pf().

To fix this, the nflog_close() should be moved after the if () block.

To replicate this: attempt to run two instances of ulogd with the NFLOG plugin
enabled and with the same groups. The second instance will abort:

firebox bootc # ulogd 
ulogd: libnfnetlink.c:1566: nfnl_query: Assertion `h' failed.
Aborted

#4  0xb7e497b7 in __GI___assert_fail (assertion=assertion at entry=0xb7e10aed "h",
file=file at entry=0xb7e10970 "libnfnetlink.c", line=line at entry=1566,
function=function at entry=0xb7e10e6e <__PRETTY_FUNCTION__.5013> "nfnl_query") at
assert.c:101
#5  0xb7e0fd0b in nfnl_query (h=0x0, nlh=0xbffff320) at libnfnetlink.c:1566
#6  0xb7fd9044 in __build_send_cfg_msg (h=0x80013d48, command=<optimized out>,
groupnum=<optimized out>, pf=<optimized out>) at libnetfilter_log.c:143
#7  0xb7e1b68c in start (upi=upi at entry=0x80010090) at ulogd_inppkt_NFLOG.c:623
#8  0x800041bd in create_stack_start_instances (stack=0x80010078) at
ulogd.c:809

Syslog contains:

Nov  8 23:22:13 firebox ulogd[27321]: unable to bind to log group 0

Regards,
Chris

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list