[pkg-netfilter-team] Bug#946996: wireguard-tools: 'wg-quick down' segfaults

[Celejar]

On Wed, 22 Jan 2020 16:47:17 -0500
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> Control: tags 946996 + moreinfo
> 
> On Tue 2020-01-21 22:18:45 -0500, Celejar wrote:
> > Sorry, I'm still getting it:
> >
> > ~# apt-cache policy wireguard-tools 
> > wireguard-tools:
> >   Installed: 1.0.20200102-1
> >   Candidate: 1.0.20200102-1
> >   Version table:
> >  *** 1.0.20200102-1 500
> >         500 http://deb.debian.org/debian sid/main amd64 Packages
> >         100 /var/lib/dpkg/status
> >
> > ~# ifdown wg0
> > [#] ip -4 rule delete table 51820
> > [#] ip -4 rule delete table main suppress_prefixlength 0
> > [#] ip link delete dev wg0
> > [#] resolvconf -d tun.wg0 -f
> > [#] iptables-restore -n
> > /usr/bin/wg-quick: line 29: 186243 Segmentation fault      "$@"
> 
> Interesting.  Can you modify wg-quick locally to expose what is being
> piped into iptables-restore -n in this instance?
> 
> For example, a change like this:
> 
> ----------------
> --- wg-quick.orig	2020-01-22 16:05:42.456100207 -0500
> +++ wg-quick	2020-01-22 16:45:35.936536027 -0500
> @@ -198,6 +198,7 @@
>  				[[ $line == "-A"* ]] && found=1
>  				printf -v restore '%s%s\n' "$restore" "${line/#-A/-D}"
>  			done < <($iptables-save 2>/dev/null)
> +                        [[ $found -ne 1 ]] || echo -n "RESTORING: $restore" >&2
>  			[[ $found -ne 1 ]] || echo -n "$restore" | cmd $iptables-restore -n
>  		done
>  	fi
> ----------------
> 
> Then report back what is printed there, and see whether feeding it into
> "iptables-restore -n" on its own is sufficient to cause a segfault.

So right after my last email, I upgraded to 1.0.20200121-1, and now I
no longer get a segfault. Is there anything further I should do? Should
I do a downgrade and try your modification?

> thanks for taking the time to report and debug!

Celejar