Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bill Fink <billfink@mindspring.com>
To: Bill Fink <billfink@mindspring.com>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync
Date: Fri, 5 Jul 2013 19:52:26 -0400	[thread overview]
Message-ID: <20130705195226.fd3e4065.billfink@mindspring.com> (raw)
In-Reply-To: <20130705154527.8f18a181.billfink@mindspring.com>

On Fri, 5 Jul 2013, Bill Fink wrote:

> [Please Cc: me on replies as I am not subscribed]
> 
> On Fri, 5 Jul 2013, Florian Westphal wrote:
> 
> > Bill Fink <billfink@xxxxxxxxxxxxxx> wrote:
> > > 230 Anonymous login ok, restrictions apply.
> > > EPSV
> > > 229 Entering Extended Passive Mode (|||1584|)
> > > 
> > > As soon as I enter the EPSV command, I get the following
> > > conntrackd segfault:
> > > 
> > > Jul  5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000]
> > 
> > #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at
> > ../include/jhash.h:99
> > 99                      a += k[0];
> > (gdb) bt f
> > #0  0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99
> >         a = 2654435769 b = 2654435769 c = 0 len = 4
> > #1  0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57
> > #2  0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63
> > #3  0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265
> > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0
> > 
> > NULL deref in __ct_filter_test_ipv6.  Doesn't happen for ipv4 because
> > nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead.
> > 
> > @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const
> > 		struct nf_conntrack *ct)
> >         src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
> >         dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
> > 
> > -       id_src = hashtable_hash(f->h6, src);
> > -       id_dst = hashtable_hash(f->h6, dst);
> > +       id_src = src ? hashtable_hash(f->h6, src) : 0;
> > +       id_dst = dst ? hashtable_hash(f->h6, dst) : 0;
> > 
> > 
> > Not sure if this is enough, there are other callers
> > of nfct_get_attr() that don't check for NULL.
> 
> This cured my immediate problem.  conntrackd no longer segfaults
> and I now get IPv6 expectations.
> 
> [root@sen-fw1 ~]# conntrackd -i expect
> proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s]
> 
> I will now continue further testing.

While definitely making progress, the next problem is that while
the active firewall sees the IPv6 ftp expectation, it is not
successfully synced to the backup firewall, and the following
error appears in the conntrackd.log on the backup firewall:

[Fri Jul  5 16:28:50 2013] (pid=5128) [ERROR] inject-add2: Invalid argument
Fri Jul  5 16:28:50 2013	300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp

I don't see anything wrong with the above, which matches exactly
the IPv6 ftp expectation seen on the primary firewall:

[root@sen-fw1 ~]# conntrackd -i expect
proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp [active since 185s]

I started looking at external_inject_exp_new() in external_inject.c,
where the inject-add2 error presumably comes from, but I haven't
gotten too far yet since I'm not that familiar with the code.
Anyone have any ideas about what might be wrong?

						-Thanks

						-Bill

next prev parent reply	other threads:[~2013-07-05 23:52 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-05  6:03 conntrackd segfault on EPSV IPv6 ftp command when using ftp ExpectationSync Bill Fink
2013-07-05  8:19 ` Florian Westphal
2013-07-05 19:45 ` Bill Fink
2013-07-05 23:52   ` Bill Fink [this message]
2013-07-06 13:23 ` Pablo Neira Ayuso
2013-07-07  7:04   ` Bill Fink
2013-07-09  5:30     ` Bill Fink
2013-07-09 18:22       ` Pablo Neira Ayuso
2013-07-09 18:22         ` Pablo Neira Ayuso
2013-07-10  9:58         ` Bill Fink
2013-07-10  9:58           ` Bill Fink
2013-07-10 22:08           ` Pablo Neira Ayuso
2013-07-10 22:08             ` Pablo Neira Ayuso
2013-07-11  0:48             ` Pablo Neira Ayuso
2013-07-11  0:48               ` Pablo Neira Ayuso
2013-07-11 15:19               ` Bill Fink
2013-07-12  7:01               ` Bill Fink
2013-07-15 12:49                 ` Pablo Neira Ayuso
2013-07-16  5:55                   ` Bill Fink
2013-07-16 21:33                     ` Pablo Neira Ayuso
2013-07-16 21:37                       ` Pablo Neira Ayuso
2013-07-22  7:00                       ` Bill Fink

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130705195226.fd3e4065.billfink@mindspring.com \
    --to=billfink@mindspring.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.