Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7f64f1e in erec_print (octx=0x55555555d2c0, erec=0x55555555fcf0, debug_mask=0) at erec.c:95
> 95 switch (indesc->type) {
> (gdb) bt
> buf=0x55555555db20 "add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept") at libnftables.c:459
> (gdb) p indesc
> $1 = (const struct input_descriptor *) 0x0
>
> Closes: http://bugzilla.opensuse.org/show_bug.cgi?id=1171321
> Fixes: 086ec6f30c96 ("mnl: extended error support for create command")
> Reported-by: Jan Engelhardt <jengelh@xxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Yes, but there is something else going on.
The command above works without this patch if you use a shorter table name.
There is another bug that causes nft to pull the wrong error object
from the queue.
The kernel doesn't generate an error for NFTA_SET_NAME in the above
rule, so we should not crash even without this (correct) fix, because
nft should not find this particular error object.
Seems the generated error is for NFTA_SET_ELEM_LIST_TABLE when handling
nf_tables_newsetelem() in kernel (which makes sense, the table doesn't
exist).
With the above command (traffic-filter) NFTA_SET_NAMEs start offset
matches the offset of NFTA_SET_ELEM_LIST_TABLE error message in the
other netlink message (the one adding the element to the set), it will
erronously find the cmd_add_loc() of NFTA_SET_NAME and then barf because
of the bug fixed here.
Not sure how to fix nft_cmd_error(), it looks like the error queueing assumes
1:1 mapping of cmd struct and netlink message header...?
