[pkg-netfilter-team] Bug#1021590: iptables: segfault when renaming a chain

Louis Bouchard lbouchard at scaleway.com
Tue Oct 11 14:39:40 BST 2022 

Package: iptables
Version: 1.8.8-1
Severity: important
Tags: upstream
X-Debbugs-Cc: lbouchard at scaleway.com

This is the description for the upstream fix of this bug[1] :

This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer.

Commit 97bf4e68fc0794adba3243fd96f40f4568e7216f fixes this bug upstream.
This bug is to have the fix included in Debian in order to avoid such
segmentation faults.

For Sid, iptables uses the new nft libraries so the problem
does not appear unless the -legacy commands are used.

The following code (adapted from the upstream commit to work on Sid)
may be used to reproduce the issue :
----------------------------------------8<--------------------------------
#!/bin/bash
#
# Cover for a bug in libiptc:
# - the chain 'node-98-tmp' is the last in the list sorted by name
# - there are 81 chains in total, so three chain index buckets
# - the last index bucket contains only the 'node-98-tmp' chain
# => rename temporarily removes it from the bucket, leaving a NULL
# bucket
# behind which is dereferenced later when inserting the chain again with
# new
# name again

(
  echo "*filter"
   for chain in node-1 node-10 node-101 node-102 node-104 node-107
   node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18
   node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27
   node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36
   node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45
   node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54
   node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62
   node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71
   node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9
   node-92 node-93 node-95 node-98-tmp; do
     echo ":$chain - [0:0]"
    done
    echo "COMMIT"
   ) | $XT_MULTI iptables-legacy-restore
   $XT_MULTI iptables-legacy -E node-98-tmp node-98
   exit $?
 
---------------------------------------->8--------------------------------

   [1] 
http://git.netfilter.org/iptables/commit/?id=97bf4e68fc0794adba3243fd96f40f4568e7216f


-- System Information:
Debian Release: bookworm/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-2-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.35-3
ii  libip4tc2                1.8.8-1
ii  libip6tc2                1.8.8-1
ii  libmnl0                  1.0.4-3
ii  libnetfilter-conntrack3  1.0.9-2
ii  libnfnetlink0            1.0.2-2
ii  libnftnl11               1.2.3-1
ii  libxtables12             1.8.8-1
ii  netbase                  6.3

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
pn  firewalld  <none>
ii  kmod       30+20220905-1

-- no debconf information

More information about the pkg-netfilter-team mailing list