[Bug 915] New: segfault in error case : expr_evaluate_payload not checking payload->payload.desc being null
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Apr 13 09:47:18 CEST 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=915
Summary: segfault in error case : expr_evaluate_payload not
checking payload->payload.desc being null
Product: nftables
Version: unspecified
Platform: x86_64
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
AssignedTo: pablo at netfilter.org
ReportedBy: laurent at guerby.net
Estimated Hours: 0.0
With latest git libmnl / libnftnl / nftables :
root at h7:~# nft add rule filter output @nh,16,4 8.8.8.8 counter
Segmentation fault
root at h7:~# gdb nft
GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test/sbin/nft...done.
(gdb) r add rule filter output @nh,16,4 8.8.8.8 counter
Starting program: /root/test/sbin/nft add rule filter output @nh,16,4 8.8.8.8
counter
warning: no loadable sections found in added symbol-file system-supplied DSO at
0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Program received signal SIGSEGV, Segmentation fault.
0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438, expr=0x64c740)
at src/evaluate.c:284
284 return expr_error(ctx->msgs, payload,
(gdb) bt
#0 0x000000000040d183 in expr_evaluate_payload (ctx=0x7fffffffe438,
expr=0x64c740) at src/evaluate.c:284
#1 0x000000000040f71d in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c740) at
src/evaluate.c:1071
#2 0x000000000040ee9d in expr_evaluate_relational (ctx=0x7fffffffe438,
expr=0x64c7a8) at src/evaluate.c:874
#3 0x000000000040f81f in expr_evaluate (ctx=0x7fffffffe438, expr=0x64c7a8) at
src/evaluate.c:1093
#4 0x000000000040f8a5 in stmt_evaluate_expr (ctx=0x7fffffffe438,
stmt=0x64c760) at src/evaluate.c:1102
#5 0x000000000040fc50 in stmt_evaluate (ctx=0x7fffffffe438, stmt=0x64c760) at
src/evaluate.c:1198
#6 0x0000000000410017 in rule_evaluate (ctx=0x7fffffffe438, rule=0x64c840) at
src/evaluate.c:1283
#7 0x000000000041049e in cmd_evaluate_add (ctx=0x7fffffffe438, cmd=0x64c8d0)
at src/evaluate.c:1380
#8 0x000000000041066e in cmd_evaluate (ctx=0x7fffffffe438, cmd=0x64c8d0) at
src/evaluate.c:1424
#9 0x0000000000420dfe in nft_parse (scanner=0x64c490, state=0x7fffffffde50) at
src/parser.y:573
#10 0x00000000004055cb in nft_run (scanner=0x64c490, state=0x7fffffffde50,
msgs=0x7fffffffde40) at src/main.c:221
#11 0x0000000000405a47 in main (argc=8, argv=0x7fffffffe658) at src/main.c:332
(gdb) p payload
$1 = (struct expr *) 0x64c5a0
(gdb) p *payload
$2 = {list = {next = 0x64c5a0, prev = 0x64c5a0}, location = {indesc =
0x7fffffffde58, {{token_offset = 24, line_offset = 0, first_line = 1, last_line
= 1, first_column = 24, last_column = 31}, {nle = 0x18}}}, refcnt = 1, flags =
0,
dtype = 0x42df60 <integer_type>, byteorder = BYTEORDER_INVALID, len = 4, ops
= 0x433f00 <payload_expr_ops>, op = OP_INVALID, {{scope = 0x0, identifier =
0x42fcf0 <proto_unknown_template> "\332\374B", symtype = SYMBOL_SET}, {
verdict = 0, chain = 0x42fcf0 <proto_unknown_template> "\332\374B"},
{value = {{_mp_alloc = 0, _mp_size = 0, _mp_d = 0x42fcf0
<proto_unknown_template>}}}, {prefix = 0x0, prefix_len = 4390128}, {expressions
= {next = 0x0,
prev = 0x42fcf0 <proto_unknown_template>}, size = 2, set_flags = 16},
{set = 0x0}, {arg = 0x0}, {left = 0x0, right = 0x42fcf0
<proto_unknown_template>}, {map = 0x0, mappings = 0x42fcf0
<proto_unknown_template>}, payload = {
desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base =
PROTO_BASE_NETWORK_HDR, offset = 16}, exthdr = {desc = 0x0, tmpl = 0x42fcf0
<proto_unknown_template>}, meta = {key = NFT_META_LEN, base =
PROTO_BASE_INVALID}, ct = {
key = NFT_CT_STATE}}}
(gdb) p *ctx
$3 = {msgs = 0x7fffffffde40, cmd = 0x64c8d0, table = 0x0, set = 0x0, stmt =
0x64c760, ectx = {dtype = 0x0, len = 0}, pctx = {family = 2, protocol =
{{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line =
0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}},
desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {
nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x4321a0 <proto_ip>},
{location = {
indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0,
last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc =
0x0}}}}
(gdb) p base
$4 = PROTO_BASE_NETWORK_HDR
(gdb) p ctx->msgs
$5 = (struct list_head *) 0x7fffffffde40
(gdb) p ctx->pctx.protocol
$6 = {{location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle =
0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset
= 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0},
{nle = 0x0}}}, desc = 0x0}, {location = {indesc = 0x0, {{token_offset = 0,
line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column =
0}, {
nle = 0x0}}}, desc = 0x4321a0 <proto_ip>}, {location = {indesc = 0x0,
{{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0,
first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0}}
(gdb) p (int)base
$7 = 2
(gdb) p ctx->pctx.protocol[0]
$8 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line
= 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc =
0x0}
(gdb) p ctx->pctx.protocol[1]
$9 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line
= 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc =
0x0}
(gdb) p ctx->pctx.protocol[2]
$10 = {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0,
first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle =
0x0}}}, desc = 0x4321a0 <proto_ip>}
(gdb) p ctx->pctx.protocol[2].desc
$11 = (const struct proto_desc *) 0x4321a0 <proto_ip>
(gdb) p *(ctx->pctx.protocol[2].desc)
$12 = {name = 0x432150 "ip", base = PROTO_BASE_NETWORK_HDR, protocol_key = 8,
protocols = {{num = 1, desc = 0x430c80 <proto_icmp>}, {num = 50, desc =
0x430440 <proto_esp>}, {num = 51, desc = 0x430140 <proto_ah>}, {num = 108,
desc = 0x430740 <proto_comp>}, {num = 17, desc = 0x430fa0 <proto_udp>},
{num = 136, desc = 0x4312a0 <proto_udplite>}, {num = 6, desc = 0x4316e0
<proto_tcp>}, {num = 33, desc = 0x431b60 <proto_dccp>}, {num = 132,
desc = 0x431e60 <proto_sctp>}, {num = 0, desc = 0x0}, {num = 0, desc =
0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num = 0, desc = 0x0}, {num
= 0, desc = 0x0}, {num = 0, desc = 0x0}}, templates = {{token = 0x0,
dtype = 0x0, offset = 0, len = 0, meta_key = NFT_META_LEN}, {token =
0x432153 "version", dtype = 0x42df60 <integer_type>, offset = 0, len = 4,
meta_key = NFT_META_LEN}, {token = 0x430112 "hdrlength",
dtype = 0x42df60 <integer_type>, offset = 4, len = 4, meta_key =
NFT_META_LEN}, {token = 0x43215b "tos", dtype = 0x42df60 <integer_type>, offset
= 8, len = 8, meta_key = NFT_META_LEN}, {token = 0x430f80 "length",
dtype = 0x42df60 <integer_type>, offset = 16, len = 16, meta_key =
NFT_META_LEN}, {token = 0x430c60 "id", dtype = 0x42df60 <integer_type>, offset
= 32, len = 16, meta_key = NFT_META_LEN}, {token = 0x43215f "frag-off",
dtype = 0x42df60 <integer_type>, offset = 48, len = 16, meta_key =
NFT_META_LEN}, {token = 0x432168 "ttl", dtype = 0x42df60 <integer_type>, offset
= 64, len = 8, meta_key = NFT_META_LEN}, {token = 0x43216c "protocol",
dtype = 0x42e220 <inet_protocol_type>, offset = 72, len = 8, meta_key =
NFT_META_LEN}, {token = 0x430c57 "checksum", dtype = 0x42df60 <integer_type>,
offset = 80, len = 16, meta_key = NFT_META_LEN}, {token = 0x432175 "saddr",
dtype = 0x42e100 <ipaddr_type>, offset = 96, len = 32, meta_key =
NFT_META_LEN}, {token = 0x43217b "daddr", dtype = 0x42e100 <ipaddr_type>,
offset = 128, len = 32, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0,
offset = 0,
len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0,
len = 0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len =
0, meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}, {token = 0x0, dtype = 0x0, offset = 0, len = 0,
meta_key = NFT_META_LEN}}}
(gdb) p payload->payload
$13 = {desc = 0x0, tmpl = 0x42fcf0 <proto_unknown_template>, base =
PROTO_BASE_NETWORK_HDR, offset = 16}
(gdb) p payload->payload.desc
$14 = (const struct proto_desc *) 0x0
} else if (ctx->pctx.protocol[base].desc != payload->payload.desc)
return expr_error(ctx->msgs, payload,
"conflicting protocols specified: %s vs. %s",
ctx->pctx.protocol[base].desc->name,
payload->payload.desc->name);
Looks like payload->payload.desc can be NULL here hence the segfault.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list