Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bill Fink <billfink@mindspring.com>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Fri, 5 Jul 2013 15:45:27 -0400	[thread overview]
Message-ID: <20130705154527.8f18a181.billfink@mindspring.com> (raw)
In-Reply-To: <20130705020312.25783ccd.billfink@mindspring.com>

[Please Cc: me on replies as I am not subscribed]

Florian,

First, many thanks for the quick fix!

On Fri, 5 Jul 2013, Florian Westphal wrote:

> Bill Fink <billfink@xxxxxxxxxxxxxx> wrote:
> > 230 Anonymous login ok, restrictions apply.
> > EPSV
> > 229 Entering Extended Passive Mode (|||1584|)
> > 
> > As soon as I enter the EPSV command, I get the following
> > conntrackd segfault:
> > 
> > Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> 
> #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
> ../include/jhash.h:99
> 99                      a += k[0];
> (gdb) bt f
> #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
>         a = 2654435769 b = 2654435769 c = 0 len = 4
> #1  0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> #2  0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> #3  0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
> 
> NULL deref in __ct_filter_test_ipv6.  Doesn't happen for ipv4 because
> nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.
> 
> @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
> 		struct nf_conntrack *ct)
>         src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
>         dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
> 
> -       id_src = hashtable_hash(f->h6, src);
> -       id_dst = hashtable_hash(f->h6, dst);
> +       id_src = src ? hashtable_hash(f->h6, src) : 0;
> +       id_dst = dst ? hashtable_hash(f->h6, dst) : 0;
> 
> 
> Not sure if this is enough, there are other callers
> of nfct_get_attr() that don't check for NULL.

This cured my immediate problem.  conntrackd no longer segfaults
and I now get IPv6 expectations.

[root@sen-fw1 ~]# conntrackd -i expect
proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s]

I will now continue further testing.

I did need my patch to successfully resync the IPv6 expectations
from the kernel via "conntrackd -R" after flushing the conntrackd
cache via "conntrackd -f".

I guess I should submit my patch as an RFC patch to get
comments on it.

					-Thanks

					-Bill

next prev parent reply	other threads:[~2013-07-05 19:45 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-05  6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05  8:19 ` Florian Westphal
2013-07-05 19:45 ` Bill Fink [this message]
2013-07-05 23:52   ` Bill Fink
2013-07-06 13:23 ` Pablo Neira Ayuso
2013-07-07  7:04   ` Bill Fink
2013-07-09  5:30     ` Bill Fink
2013-07-09 18:22       ` Pablo Neira Ayuso
2013-07-09 18:22         ` Pablo Neira Ayuso
2013-07-10  9:58         ` Bill Fink
2013-07-10  9:58           ` Bill Fink
2013-07-10 22:08           ` Pablo Neira Ayuso
2013-07-10 22:08             ` Pablo Neira Ayuso
2013-07-11  0:48             ` Pablo Neira Ayuso
2013-07-11  0:48               ` Pablo Neira Ayuso
2013-07-11 15:19               ` Bill Fink
2013-07-12  7:01               ` Bill Fink
2013-07-15 12:49                 ` Pablo Neira Ayuso
2013-07-16  5:55                   ` Bill Fink
2013-07-16 21:33                     ` Pablo Neira Ayuso
2013-07-16 21:37                       ` Pablo Neira Ayuso
2013-07-22  7:00                       ` Bill Fink

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130705154527.8f18a181.billfink@mindspring.com \
    --to=billfink@mindspring.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.