[nft PATCH] misspell: Avoid segfault with anonymous chains

[nft PATCH] misspell: Avoid segfault with anonymous chains

[Phil Sutter]

When trying to add a rule which contains an anonymous chain to a
non-existent chain, string_misspell_update() is called with a NULL
string because the anonymous chain has no name. Avoid this by making the
function NULL-pointer tolerant.

c330152b7f777 ("src: support for implicit chain bindings")

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/misspell.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/misspell.c b/src/misspell.c
index 6536d7557a445..f213a240005e6 100644
--- a/src/misspell.c
+++ b/src/misspell.c
@@ -80,8 +80,8 @@ int string_misspell_update(const char *a, const char *b,
 {
 	unsigned int len_a, len_b, max_len, min_len, distance, threshold;
 
-	len_a = strlen(a);
-	len_b = strlen(b);
+	len_a = a ? strlen(a) : 0;
+	len_b = b ? strlen(b) : 0;
 
 	max_len = max(len_a, len_b);
 	min_len = min(len_a, len_b);
-- 
2.34.1

Re: [nft PATCH] misspell: Avoid segfault with anonymous chains

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]

Hi Phil,

On Fri, Mar 04, 2022 at 11:37:11AM +0100, Phil Sutter wrote:
> When trying to add a rule which contains an anonymous chain to a
> non-existent chain, string_misspell_update() is called with a NULL
> string because the anonymous chain has no name. Avoid this by making the
> function NULL-pointer tolerant.
> 
> c330152b7f777 ("src: support for implicit chain bindings")
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  src/misspell.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/misspell.c b/src/misspell.c
> index 6536d7557a445..f213a240005e6 100644
> --- a/src/misspell.c
> +++ b/src/misspell.c
> @@ -80,8 +80,8 @@ int string_misspell_update(const char *a, const char *b,
>  {
>  	unsigned int len_a, len_b, max_len, min_len, distance, threshold;
>  
> -	len_a = strlen(a);
> -	len_b = strlen(b);
> +	len_a = a ? strlen(a) : 0;
> +	len_b = b ? strlen(b) : 0;

string_distance() assumes non-NULL too.

probably shortcircuit chain_lookup_fuzzy() earlier since h->chain.name
is always NULL, to avoid the useless loop.

Patch attached.

>  	max_len = max(len_a, len_b);
>  	min_len = min(len_a, len_b);
> -- 
> 2.34.1
> 

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 376 bytes --]

diff --git a/src/rule.c b/src/rule.c
index b1700c40079d..19b8cb0323ee 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -758,6 +758,9 @@ struct chain *chain_lookup_fuzzy(const struct handle *h,
 	struct table *table;
 	struct chain *chain;
 
+	if (!h->chain.name)
+		return NULL;
+
 	string_misspell_init(&st);
 
 	list_for_each_entry(table, &cache->table_cache.list, cache.list) {

Re: [nft PATCH] misspell: Avoid segfault with anonymous chains

[Phil Sutter]

On Fri, Mar 04, 2022 at 12:11:53PM +0100, Pablo Neira Ayuso wrote:
> Hi Phil,
> 
> On Fri, Mar 04, 2022 at 11:37:11AM +0100, Phil Sutter wrote:
> > When trying to add a rule which contains an anonymous chain to a
> > non-existent chain, string_misspell_update() is called with a NULL
> > string because the anonymous chain has no name. Avoid this by making the
> > function NULL-pointer tolerant.
> > 
> > c330152b7f777 ("src: support for implicit chain bindings")
> > 
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> >  src/misspell.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/misspell.c b/src/misspell.c
> > index 6536d7557a445..f213a240005e6 100644
> > --- a/src/misspell.c
> > +++ b/src/misspell.c
> > @@ -80,8 +80,8 @@ int string_misspell_update(const char *a, const char *b,
> >  {
> >  	unsigned int len_a, len_b, max_len, min_len, distance, threshold;
> >  
> > -	len_a = strlen(a);
> > -	len_b = strlen(b);
> > +	len_a = a ? strlen(a) : 0;
> > +	len_b = b ? strlen(b) : 0;
> 
> string_distance() assumes non-NULL too.

Which is called from string_misspell_update() only which with my patch
returns early due to 'max_len <= 1'.

> probably shortcircuit chain_lookup_fuzzy() earlier since h->chain.name
> is always NULL, to avoid the useless loop.

Fine with me, too! What about allocating a name for the anonymous chain
instead? I guess similar treatment as with sets would make sense. Might
also help with netlink debug output:

| # nft --debug=netlink insert rule inet x y 'goto { accept; }'
| inet (null) (null) use 0
| inet x
|   [ immediate reg 0 accept ]
| 
|   inet x y
|     [ immediate reg 0 goto ]
| [...]

Thanks, Phil

Re: [nft PATCH] misspell: Avoid segfault with anonymous chains

[Pablo Neira Ayuso]

On Fri, Mar 04, 2022 at 01:15:59PM +0100, Phil Sutter wrote:
> On Fri, Mar 04, 2022 at 12:11:53PM +0100, Pablo Neira Ayuso wrote:
> > Hi Phil,
> > 
> > On Fri, Mar 04, 2022 at 11:37:11AM +0100, Phil Sutter wrote:
> > > When trying to add a rule which contains an anonymous chain to a
> > > non-existent chain, string_misspell_update() is called with a NULL
> > > string because the anonymous chain has no name. Avoid this by making the
> > > function NULL-pointer tolerant.
> > > 
> > > c330152b7f777 ("src: support for implicit chain bindings")
> > > 
> > > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > > ---
> > >  src/misspell.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/src/misspell.c b/src/misspell.c
> > > index 6536d7557a445..f213a240005e6 100644
> > > --- a/src/misspell.c
> > > +++ b/src/misspell.c
> > > @@ -80,8 +80,8 @@ int string_misspell_update(const char *a, const char *b,
> > >  {
> > >  	unsigned int len_a, len_b, max_len, min_len, distance, threshold;
> > >  
> > > -	len_a = strlen(a);
> > > -	len_b = strlen(b);
> > > +	len_a = a ? strlen(a) : 0;
> > > +	len_b = b ? strlen(b) : 0;
> > 
> > string_distance() assumes non-NULL too.
> 
> Which is called from string_misspell_update() only which with my patch
> returns early due to 'max_len <= 1'.
> 
> > probably shortcircuit chain_lookup_fuzzy() earlier since h->chain.name
> > is always NULL, to avoid the useless loop.
> 
> Fine with me, too! What about allocating a name for the anonymous chain
> instead?

A dummy name could be allocated, but the kernel does not need the
chain name at this stage (it uses the ephemeral 32-bit chain ID
instead which is only valid in the netlink batch).

Probably set_lookup_fuzzy() should also short-circuit early the
misspell logic for anonymous sets.

> I guess similar treatment as with sets would make sense. Might
> also help with netlink debug output:
>
> | # nft --debug=netlink insert rule inet x y 'goto { accept; }'
> | inet (null) (null) use 0

# nft add table x
# nft --debug=netlink add chain x y
ip (null) (null) use 0

table is null, at least this one should be set on, but this is
a partially different issue.

> | inet x
> |   [ immediate reg 0 accept ]
> | 
> |   inet x y
> |     [ immediate reg 0 goto ]
> | [...]
> 
> Thanks, Phil