[pkg-netfilter-team] Bug#946996: wireguard-tools: 'wg-quick down' segfaults

[Daniel Kahn Gillmor]

Control: tags 946996 + moreinfo

On Tue 2020-01-21 22:18:45 -0500, Celejar wrote:
> Sorry, I'm still getting it:
>
> ~# apt-cache policy wireguard-tools 
> wireguard-tools:
>   Installed: 1.0.20200102-1
>   Candidate: 1.0.20200102-1
>   Version table:
>  *** 1.0.20200102-1 500
>         500 http://deb.debian.org/debian sid/main amd64 Packages
>         100 /var/lib/dpkg/status
>
> ~# ifdown wg0
> [#] ip -4 rule delete table 51820
> [#] ip -4 rule delete table main suppress_prefixlength 0
> [#] ip link delete dev wg0
> [#] resolvconf -d tun.wg0 -f
> [#] iptables-restore -n
> /usr/bin/wg-quick: line 29: 186243 Segmentation fault      "$@"

Interesting.  Can you modify wg-quick locally to expose what is being
piped into iptables-restore -n in this instance?

For example, a change like this:

----------------
--- wg-quick.orig	2020-01-22 16:05:42.456100207 -0500
+++ wg-quick	2020-01-22 16:45:35.936536027 -0500
@@ -198,6 +198,7 @@
 				[[ $line == "-A"* ]] && found=1
 				printf -v restore '%s%s\n' "$restore" "${line/#-A/-D}"
 			done < <($iptables-save 2>/dev/null)
+                        [[ $found -ne 1 ]] || echo -n "RESTORING: $restore" >&2
 			[[ $found -ne 1 ]] || echo -n "$restore" | cmd $iptables-restore -n
 		done
 	fi
----------------

Then report back what is printed there, and see whether feeding it into
"iptables-restore -n" on its own is sufficient to cause a segfault.

thanks for taking the time to report and debug!

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20200122/3c95eaf8/attachment.sig>