[pkg-netfilter-team] Bug#1063690: Bug Explanation
Jeremy Sowden
jeremy at azazel.net
Sun Feb 18 17:35:12 GMT 2024
When it parses:
table inet t {
}
table inet t {
set s {
type inet_service
elements = { 42 }
}
}
the nft bison parser creates two `CMD_ADD` commands and allocates two
`struct table` objects (which I shall refer to as `t0` and `t1`). When
it creates the second command, it also allocates a `struct set` object,
`s`, which it adds to `t1->sets`. After the `CMD_ADD` commands for `t0`
and `t1` have been expanded, when the new `CMD_ADD` command for `s` is
evaluated, the `set_evaluate` function does this:
table = table_lookup_global(ctx);
if (table == NULL)
return table_not_found(ctx);
// ...
if (set_lookup(table, set->handle.set.name) == NULL)
set_add_hash(set_get(set), table);
The `struct table` object returned by `table_lookup_global` is `t0`,
since this was evaluated first and cached by `table_evaluate`, not `t1`.
Therefore, `set_lookup` returns `NULL`, `set_add_hash` is called, `s` is
added to `t0->sets`, and `t1->sets` is effectively corrupted. It now
contains two elements which point to each other, and one of them is not
a set at all, but `t0->sets`. This results in a seg-fault when nft
tries to free `t1`.
The patch I attached previously is not complete. I have attached an
updated one.
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-set-evaluation-after-cmd-expansion.patch
Type: text/x-diff
Size: 1061 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20240218/8a664cee/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20240218/8a664cee/attachment.sig>
More information about the pkg-netfilter-team
mailing list