Conntrackd segfaults

Conntrackd segfaults

[Maximilian Wilhelm]

Hi!

After updating my firewalls to Debiab Etch + conntrackd (R.I.P. ct_sync!)
we saw conntrackd segfaulting on one of the machines. (I used
backported packages from Debian unstable for conntrackd + the two libraries.)

We're using ALARM base synchronization.

This came out by hunting the bug:

| root@fw1[~]$ gdb /usr/sbin/conntrackd
| GNU gdb 6.4.90-debian
| Copyright (C) 2006 Free Software Foundation, Inc.
| GDB is free software, covered by the GNU General Public License, and you are
| welcome to change it and/or distribute copies of it under certain conditions.
| Type "show copying" to see the conditions.
| There is absolutely no warranty for GDB.  Type "show warranty" for details.
| This GDB was configured as "i486-linux-gnu"...Using host libthread_db
| library "/lib/tls/libthread_db.so.1".
| 
| (gdb) run
| Starting program: /usr/sbin/conntrackd
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x00000000 in ?? ()
| (gdb) bt
| #0  0x00000000 in ?? ()
| #1  0xb7f21b89 in nfct_get_attr (ct=0x80f31a0, type=ATTR_MASTER_IPV4_SRC) at api.c:292
| #2  0xb7f21c04 in nfct_get_attr_u32 (ct=0x80f31a0, type=ATTR_MASTER_IPV4_SRC) at api.c:339
| #3  0x08050cdc in __build_u32 (ct=0xb7f2a6a0, pld=0x25, attr=5) at build.c:56
| #4  0x0805120e in build_netpld (ct=0x80f31a0, pld=0xbfa42254, query=0) at build.c:119
| #5  0x0804e9ad in mcast_send_sync (u=0x80be26c, ct=0x80f31a0, query=0) at sync-mode.c:346
| #6  0x0804caee in event_handler (type=NFCT_T_NEW, ct=0x80f31a0, data=0x0) at netlink.c:66
| #7  0xb7f21d2e in __callback (nlh=0xbfa43380, nfa=0xbfa432c0, data=0x807a9a8) at callback.c:33
| #8  0xb7f16d1b in nfnl_step (h=<value optimized out>, nlh=0xbfa43380) at libnfnetlink.c:1289
| #9  0xb7f16ef6 in nfnl_process (h=0x807a7f8, buf=0xbfa43380 "�, len=192) at libnfnetlink.c:1334
| #10 0xb7f18278 in nfnl_catch (h=0x807a7f8) at libnfnetlink.c:1487
| #11 0xb7f21153 in nfct_catch (h=0x807a940) at api.c:588
| #12 0x0804a71d in run () at run.c:195
| #13 0x0804a1bd in main (argc=1, argv=Cannot access memory at address 0x9
| ) at main.c:259
| (gdb) The program is running.  Exit anyway? (y or n) y

The problem seems to be that in

 libnetfilter-conntrack /src/conntrack/getter.c

in line 225

 get_attr get_attr_array[]

has no entry for

 ATTR_MASTER_IPV4_SRC

Maybe anybody who's in this magic can fix it :)

Ciao & Thanks
Max
-- 
	Follow the white penguin.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Conntrackd segfaults

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

Hi Max,

Maximilian Wilhelm wrote:
> The problem seems to be that in
> 
>  libnetfilter-conntrack /src/conntrack/getter.c
> 
> in line 225
> 
>  get_attr get_attr_array[]
> 
> has no entry for
> 
>  ATTR_MASTER_IPV4_SRC
> 
> Maybe anybody who's in this magic can fix it :)

Fixed in SVN. Thanks for the detailed report.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2443 bytes --]

Index: src/conntrack/api.c
===================================================================
--- src/conntrack/api.c	(revisión: 7495)
+++ src/conntrack/api.c	(copia de trabajo)
@@ -289,6 +289,8 @@
 		return NULL;
 	}
 
+	assert(get_attr_array[type]);
+
 	return get_attr_array[type](ct);
 }
 
Index: src/conntrack/getter.c
===================================================================
--- src/conntrack/getter.c	(revisión: 7428)
+++ src/conntrack/getter.c	(copia de trabajo)
@@ -102,6 +102,46 @@
 	return &ct->tuple[__DIR_REPL].protonum;
 }
 
+static const void *get_attr_master_ipv4_src(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].src.v4;
+}
+
+static const void *get_attr_master_ipv4_dst(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].dst.v4;
+}
+
+static const void *get_attr_master_ipv6_src(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].src.v6;
+}
+
+static const void *get_attr_master_ipv6_dst(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].dst.v6;
+}
+
+static const void *get_attr_master_port_src(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].l4src.all; 
+}
+
+static const void *get_attr_master_port_dst(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].l4dst.all; 
+}
+
+static const void *get_attr_master_l3proto(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].l3protonum;
+}
+
+static const void *get_attr_master_l4proto(const struct nf_conntrack *ct)
+{
+	return &ct->tuple[__DIR_MASTER].protonum;
+}
+
 static const void *get_attr_tcp_state(const struct nf_conntrack *ct)
 {
 	return &ct->protoinfo.tcp.state;
@@ -265,6 +305,14 @@
 	[ATTR_TCP_FLAGS_REPL]		= get_attr_tcp_flags_repl,
 	[ATTR_TCP_MASK_ORIG]		= get_attr_tcp_mask_orig,
 	[ATTR_TCP_MASK_REPL]		= get_attr_tcp_mask_repl,
+	[ATTR_MASTER_IPV4_SRC]		= get_attr_master_ipv4_src,
+	[ATTR_MASTER_IPV4_DST] 		= get_attr_master_ipv4_dst,
+	[ATTR_MASTER_IPV6_SRC]		= get_attr_master_ipv6_src,
+	[ATTR_MASTER_IPV6_DST]		= get_attr_master_ipv6_dst,
+	[ATTR_MASTER_PORT_SRC]		= get_attr_master_port_src,
+	[ATTR_MASTER_PORT_DST]		= get_attr_master_port_dst,
+	[ATTR_MASTER_L3PROTO]		= get_attr_master_l3proto,
+	[ATTR_MASTER_L4PROTO]		= get_attr_master_l4proto,
 	[ATTR_SECMARK]			= get_attr_secmark,
 	[ATTR_ORIG_NAT_SEQ_CORRECTION_POS]	= get_attr_orig_cor_pos,
 	[ATTR_ORIG_NAT_SEQ_OFFSET_BEFORE]	= get_attr_orig_off_bfr,

Re: Conntrackd segfaults

[Maximilian Wilhelm]

Am Tuesday, den 29 April hub Pablo Neira Ayuso folgendes in die Tasten:

Hi Pablo!

> Maximilian Wilhelm wrote:
> > The problem seems to be that in

> >  libnetfilter-conntrack /src/conntrack/getter.c

> > in line 225

> >  get_attr get_attr_array[]

> > has no entry for

> >  ATTR_MASTER_IPV4_SRC

> > Maybe anybody who's in this magic can fix it :)

> Fixed in SVN. Thanks for the detailed report.

Thanks for the fast response!

Ciao
Max
-- 
	Follow the white penguin.