[Bug 1355] New: Error parsing JSON config via a pipe to subprocess's stdin

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Jul 21 15:08:19 CEST 2019 

https://bugzilla.netfilter.org/show_bug.cgi?id=1355

            Bug ID: 1355
           Summary: Error parsing JSON config via a pipe to subprocess's
                    stdin
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: tad.ashlock at gmail.com

Created attachment 566
  --> https://bugzilla.netfilter.org/attachment.cgi?id=566&action=edit
C++ source file that demonstrates the problem

nft versions tested: 0.5, 0.9.0, 0.9.1
Linux kernel versions: 4.15.0 (Ubuntu 16.04.1), 4.14.120 (custom distro)​

I'm fork-exec'ing "nft -f /dev/stdin", passing the configuration string via a
pipe from the parent process.  When the configuration string gets larger than
8192 characters, the parser appears to get corrupted at the 8 KiB boundry. 
(I've also seen it at the 16 KiB boundary, too.)

This behavior doesn't happen if I pipe the same configuration in from a shell:
"nft -f /dev/stdin <ruleset.txt" works fine.

I've attached a C++ source file that demonstrates the problem.  The
configuration string was carefully crafted to cause the problem I'm seeing.  To
test that I haven't screwed up the fork-exec pipe to stdin, the demo code also
sends the configuration string to 'tee' and 'sed', each of which writes their
stdin to a separate file.  The configuration string is also directly written to
the file 'ruleset.txt' for comparison.

Build & run:
    g++ test.cc -o test --std=c++11 -Wall
    sudo nft flush ruleset
    sudo ./test
    sudo nft list ruleset
    diff ruleset.txt tee-input.txt
    diff ruleset.txt sed-input.txt

=========== START OF OUTPUT (sudo ./test) ==============
executing tee
#!/usr/sbin/nft -f
flush ruleset

#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[snip]
#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
#23456789012345678901234567890

table ip filter {
    chain input {
        type filter hook input priority 0; policy accept;
        iifname "lo" ip saddr 10.0.0.0/8 tcp dport ssh accept
    }
}
executing sed
executing nft
/dev/stdin:95:42-48: Error: No symbol type information

                                         ^^^^^^^
unexpected exit status: 1
=========== END OF OUTPUT ==============

If you now add a space character before "dport" in the source code, rebuild, an
d rerun, the configuration will be parsed without an error.

There's nothing particular about "dport", that's just an arbitrary location I
picked.  You can add or delete more comment characters to change which
character is the 8192nd and the error location will change, along with the type
of error.

Adding spaces around each 8 KiB boundary of the configuration appears to be
work-around for this problem.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190721/62aa5c46/attachment.html>

More information about the netfilter-buglog mailing list