Re: [nft PATCH] misspell: Avoid segfault with anonymous chains

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 7 Mar 2022 22:08:47 +0100

On Fri, Mar 04, 2022 at 01:15:59PM +0100, Phil Sutter wrote:
> On Fri, Mar 04, 2022 at 12:11:53PM +0100, Pablo Neira Ayuso wrote:
> > Hi Phil,
> > 
> > On Fri, Mar 04, 2022 at 11:37:11AM +0100, Phil Sutter wrote:
> > > When trying to add a rule which contains an anonymous chain to a
> > > non-existent chain, string_misspell_update() is called with a NULL
> > > string because the anonymous chain has no name. Avoid this by making the
> > > function NULL-pointer tolerant.
> > > 
> > > c330152b7f777 ("src: support for implicit chain bindings")
> > > 
> > > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > > ---
> > >  src/misspell.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/src/misspell.c b/src/misspell.c
> > > index 6536d7557a445..f213a240005e6 100644
> > > --- a/src/misspell.c
> > > +++ b/src/misspell.c
> > > @@ -80,8 +80,8 @@ int string_misspell_update(const char *a, const char *b,
> > >  {
> > >  	unsigned int len_a, len_b, max_len, min_len, distance, threshold;
> > >  
> > > -	len_a = strlen(a);
> > > -	len_b = strlen(b);
> > > +	len_a = a ? strlen(a) : 0;
> > > +	len_b = b ? strlen(b) : 0;
> > 
> > string_distance() assumes non-NULL too.
> 
> Which is called from string_misspell_update() only which with my patch
> returns early due to 'max_len <= 1'.
> 
> > probably shortcircuit chain_lookup_fuzzy() earlier since h->chain.name
> > is always NULL, to avoid the useless loop.
> 
> Fine with me, too! What about allocating a name for the anonymous chain
> instead?

A dummy name could be allocated, but the kernel does not need the
chain name at this stage (it uses the ephemeral 32-bit chain ID
instead which is only valid in the netlink batch).

Probably set_lookup_fuzzy() should also short-circuit early the
misspell logic for anonymous sets.

> I guess similar treatment as with sets would make sense. Might
> also help with netlink debug output:
>
> | # nft --debug=netlink insert rule inet x y 'goto { accept; }'
> | inet (null) (null) use 0

# nft add table x
# nft --debug=netlink add chain x y
ip (null) (null) use 0

table is null, at least this one should be set on, but this is
a partially different issue.

> | inet x
> |   [ immediate reg 0 accept ]
> | 
> |   inet x y
> |     [ immediate reg 0 goto ]
> | [...]
> 
> Thanks, Phil