[BUG] libnftables: NULL pointer dereference in nft_expr_ops_lookup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Benc <jbenc@redhat.com>
To: netfilter-devel@vger.kernel.org
Subject: [BUG] libnftables: NULL pointer dereference in nft_expr_ops_lookup
Date: Fri, 25 Oct 2013 15:27:35 +0200	[thread overview]
Message-ID: <20131025152735.65d354bd@griffin> (raw)

Hi,

using both the latest (git) libnftables and nftables, I got:

[root@localhost ~]# nft add rule ip filter input tcp dport 81 reject
Segmentation fault (core dumped)

(gdb) bt
#0  0x00007fb7890c1364 in __strcmp_sse2 () from /lib64/libc.so.6
#1  0x00007fb78960bfa4 in nft_expr_ops_lookup (name=name@entry=0x0) at expr_ops.c:18
#2  0x00007fb78960bc56 in nft_rule_expr_alloc (name=name@entry=0x0) at expr.c:34
#3  0x000000000040db29 in alloc_nft_expr (name=name@entry=0x0) at src/netlink.c:118
#4  0x0000000000410117 in netlink_gen_reject_stmt (ctx=<optimized out>, stmt=<optimized out>)
    at src/netlink_linearize.c:564
#5  netlink_gen_stmt (stmt=0xb106f0, ctx=0x7fff734c4690) at src/netlink_linearize.c:651
#6  netlink_linearize_rule (ctx=ctx@entry=0x7fff734c4730, nlr=nlr@entry=0xb10520, rule=rule@entry=0xb10760)
    at src/netlink_linearize.c:670
#7  0x000000000040e25b in netlink_add_rule_batch (ctx=0x7fff734c4730, h=<optimized out>, rule=0xb10760, flags=2048)
    at src/netlink.c:320
#8  0x00000000004056ec in nft_netlink (msgs=0x7fff734c48b0, state=0x7fff734c48c0) at src/main.c:167
#9  nft_run (scanner=scanner@entry=0xb102c0, state=state@entry=0x7fff734c48c0, msgs=msgs@entry=0x7fff734c48b0)
    at src/main.c:214
#10 0x00000000004052e5 in main (argc=10, argv=<optimized out>) at src/main.c:321


Looking into the code, netlink_gen_reject_stmt calls
alloc_nft_expr(NULL), the NULL propagates to strcmp in
nft_expr_ops_lookup.

Sorry for not providing a patch, I'm only starting looking into the code
and this seems to require at least certain degree of understanding
those functions.

 Jiri

-- 
Jiri Benc

next             reply	other threads:[~2013-10-25 13:27 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-25 13:27 Jiri Benc [this message]
2013-10-25 15:04 ` [BUG] libnftables: NULL pointer dereference in nft_expr_ops_lookup Pablo Neira Ayuso
2013-10-25 15:46   ` Jiri Benc
2013-10-27 20:21     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131025152735.65d354bd@griffin \
    --to=jbenc@redhat.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.