From: Florian Westphal <fw@strlen.de>
To: Bill Fink <billfink@mindspring.com>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Fri, 5 Jul 2013 10:19:10 +0200 [thread overview]
Message-ID: <20130705081910.GA25000@breakpoint.cc> (raw)
In-Reply-To: <20130705020312.25783ccd.billfink@mindspring.com>
Bill Fink <billfink@mindspring.com> wrote:
> 230 Anonymous login ok, restrictions apply.
> EPSV
> 229 Entering Extended Passive Mode (|||1584|)
>
> As soon as I enter the EPSV command, I get the following
> conntrackd segfault:
>
> Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
#0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
../include/jhash.h:99
99 a += k[0];
(gdb) bt f
#0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
a = 2654435769 b = 2654435769 c = 0 len = 4
#1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
#2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
#3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
NULL deref in __ct_filter_test_ipv6. Doesn't happen for ipv4 because
nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.
@@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
struct nf_conntrack *ct)
src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
- id_src = hashtable_hash(f->h6, src);
- id_dst = hashtable_hash(f->h6, dst);
+ id_src = src ? hashtable_hash(f->h6, src) : 0;
+ id_dst = dst ? hashtable_hash(f->h6, dst) : 0;
Not sure if this is enough, there are other callers
of nfct_get_attr() that don't check for NULL.
next prev parent reply other threads:[~2013-07-05 8:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05 8:19 ` Florian Westphal [this message]
2013-07-05 19:45 ` Bill Fink
2013-07-05 23:52 ` Bill Fink
2013-07-06 13:23 ` Pablo Neira Ayuso
2013-07-07 7:04 ` Bill Fink
2013-07-09 5:30 ` Bill Fink
2013-07-09 18:22 ` Pablo Neira Ayuso
2013-07-09 18:22 ` Pablo Neira Ayuso
2013-07-10 9:58 ` Bill Fink
2013-07-10 9:58 ` Bill Fink
2013-07-10 22:08 ` Pablo Neira Ayuso
2013-07-10 22:08 ` Pablo Neira Ayuso
2013-07-11 0:48 ` Pablo Neira Ayuso
2013-07-11 0:48 ` Pablo Neira Ayuso
2013-07-11 15:19 ` Bill Fink
2013-07-12 7:01 ` Bill Fink
2013-07-15 12:49 ` Pablo Neira Ayuso
2013-07-16 5:55 ` Bill Fink
2013-07-16 21:33 ` Pablo Neira Ayuso
2013-07-16 21:37 ` Pablo Neira Ayuso
2013-07-22 7:00 ` Bill Fink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130705081910.GA25000@breakpoint.cc \
--to=fw@strlen.de \
--cc=billfink@mindspring.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.