Bug 1314403

Summary: tc segfaults when printing filters with multiple xt actions attached
Product: Red Hat Enterprise Linux 7 Reporter: Phil Sutter <psutter>
Component: iprouteAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Marek Marusic <mmarusic>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: aloughla, jaster, mmarusic, psutter
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iproute-3.10.0-61.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 23:38:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Sutter 2016-03-03 13:53:34 UTC 
To reproduce this issue, attach an ingress qdisc to some interface (veth0 in this case):

# tc qd add dev veth0 ingress handle ffff:

Then add two identical filters, each with xt action:

# tc filter add dev veth0 parent ffff: u32 match u32 0 0 action xt -j LOG
# tc filter add dev veth0 parent ffff: u32 match u32 0 0 action xt -j LOG

Finally try to print the filter list:

# tc filter show dev veth0 parent ffff:

tc will segfault at the last step. The issue has been fixed upstream:

commit 6e2e5ec28bad4561c534adf4f22b2706e385c71d
Author: Andreas Greve <andreas.greve>
Date:   Sat May 10 11:19:18 2014 +0200

    fix print_ipt: segfault if more then one filter with action -j MARK.
    
    BUG: tc filter show ... produce a segmentation fault if more than one
    filter rule with action -j MARK exists.
    
    Reason: In print_ipt(...) xtables will be initialzed with a
    pointer to the static struct tcipt_globals at xtables_init_all().
    Later on the fields .opts and .options_offset of tcipt_globals are
    modified. The call of xtables_free_opts(1) at the end of print(...)
    does not restore the original values of tcipt_globals for the
    modified fields. It only frees some allocated memory and sets
    .opts to NULL. This leads to a segmentation fault when print_ipt()
    is called for the next filter rule with action -j MARK.
    
    Fix: Cloneing tcipt_globals on the stack as tmp_tcipt_globals and
    use it instead of tcipt_globals, so tcipt_globals will be not
    modified.
    
    Signed-off-by: Andreas Greve <andreas.greve>
Comment 5 Phil Sutter 2016-04-12 11:22:31 UTC 
Hi Jaroslav,

As discussed with Marek in private, this is a known issue which existed upstream as well. It is tracked in bug 1314398. Thanks for your efforts in tracking this down!

Cheers, Phil
Comment 10 errata-xmlrpc 2016-11-03 23:38:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2162.html