[pkg-netfilter-team] Bug#1017723: bullseye-pu: package nftables/0.9.8-3.2

Jeremy Sowden jeremy at azazel.net
Mon Oct 31 20:40:18 GMT 2022


On 2022-09-04, at 15:09:10 +0100, Jeremy Sowden wrote:
> On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote:
> > On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote:
> > > The related nftables bug is:
> > > 
> > >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
> > > 
> > > [ Reason ]
> > > nftables uses a fixed-size array containing the locations of the
> > > expressions within each rule that it sends to the kernel to provide
> > > more informative error-reporting.  If the rule is rejected by the
> > > kernel, the kernel will provide an ID for the expression which was
> > > responsible, and nftables will use this to highlight it when
> > > outputting the rule in the error message:
> > > 
> > >  # nft add rule t c iif lo reject with icmp 255
> > >  Error: Could not process rule: Invalid argument
> > >  add rule t c iif lo reject with icmp 255
> > >                      ^^^^^^
> > > 
> > > There is an off-by-one error in the bounds-checking used before
> > > adding the details of an expression to this array.  The result of
> > > this is that if a rule contains enough expressions, nftables will
> > > write past the end of the array leading to memory-corruption and
> > > possibly crashes.
> > 
> > The debdiff is somewhat confusing.
> > 
> > +nftables (0.9.8-3.2) unstable; urgency=medium
> > 
> > This is an upload to bullseye, not unstable. Additionally, the version
> > should be 0.9.8-3.1+deb11u1.
> > 
> > + -- Sven Auhagen <sven.auhagen at voleatech.de>  Sat, 16 Jul 2022 11:29:27 +0200
> > 
> > Who is this? It's obviously not you, but also doesn't appear to be
> > related to the nftables bug report you mentioned.
> 
> Whoops.  Silly mistakes.  Still learning the ropes.  I've amended the
> change-log entry.
> 
> I've also added myself to `Uploaders` (I am already listed as one in
> testing and unstable).
> 
> New debdiff attached.

Is there anything more I can to do to get a decision on this bug?  Or do
I just need to be more patient? :)

J.

> diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
> --- nftables-0.9.8/debian/changelog	2021-07-20 09:01:47.000000000 +0100
> +++ nftables-0.9.8/debian/changelog	2022-09-04 09:34:11.000000000 +0100
> @@ -1,3 +1,14 @@
> +nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
> +
> +  * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> +    It fixes a one off for the check for NFT_NLATTR_LOC_MAX
> +    which leads to double free or corruption (out) error.
> +    Thanks to Sven Auhagen <sven.auhagen at voleatech.de> for
> +    suggesting the fix (closes: #1017359).
> +  * d/control: add myself to uploaders.
> +
> + -- Jeremy Sowden <jeremy at azazel.net>  Sun, 04 Sep 2022 09:34:11 +0100
> +
>  nftables (0.9.8-3.1) unstable; urgency=medium
>  
>    * Non-maintainer upload.
> diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control
> --- nftables-0.9.8/debian/control	2021-07-20 09:01:47.000000000 +0100
> +++ nftables-0.9.8/debian/control	2022-09-04 09:34:11.000000000 +0100
> @@ -2,7 +2,8 @@
>  Section: net
>  Priority: important
>  Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team at lists.alioth.debian.org>
> -Uploaders: Arturo Borrero Gonzalez <arturo at debian.org>
> +Uploaders: Arturo Borrero Gonzalez <arturo at debian.org>,
> +           Jeremy Sowden <jeremy at azazel.net>
>  Build-Depends: asciidoc-base,
>                 automake,
>                 bison,
> diff -Nru nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
> --- nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	1970-01-01 01:00:00.000000000 +0100
> +++ nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	2022-09-04 09:26:53.000000000 +0100
> @@ -0,0 +1,32 @@
> +From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
> +From: Phil Sutter <phil at nwl.cc>
> +Date: Fri, 11 Jun 2021 17:08:34 +0200
> +Subject: rule: Fix for potential off-by-one in cmd_add_loc()
> +
> +Using num_attrs as index means it must be at max one less than the
> +array's size at function start.
> +
> +Fixes: 27362a5bfa433 ("rule: larger number of error locations")
> +Signed-off-by: Phil Sutter <phil at nwl.cc>
> +---
> + src/rule.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +(limited to 'src/rule.c')
> +
> +diff --git a/src/rule.c b/src/rule.c
> +index dbbe744e..92daf2f3 100644
> +--- a/src/rule.c
> ++++ b/src/rule.c
> +@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
> + 
> + void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
> + {
> +-	if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
> ++	if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
> + 		return;
> + 
> + 	cmd->attr[cmd->num_attrs].offset = offset;
> +-- 
> +cgit v1.2.3
> +
> diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series
> --- nftables-0.9.8/debian/patches/series	2021-07-20 09:01:47.000000000 +0100
> +++ nftables-0.9.8/debian/patches/series	2022-09-04 09:26:53.000000000 +0100
> @@ -1 +1,2 @@
>  payload-check-icmp-dependency-before-removing-previo.patch
> +rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20221031/1dbf4d9b/attachment.sig>


More information about the pkg-netfilter-team mailing list