Bug 1399764 - Segfault with 'ip6 nexthdr ipv6-frag'
Summary: Segfault with 'ip6 nexthdr ipv6-frag'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nftables
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: Vaclav Danek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 16:56 UTC by Phil Sutter
Modified: 2017-08-01 18:56 UTC (History)
6 users (show)

Fixed In Version: nftables-0.6-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:56:07 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2047 0 normal SHIPPED_LIVE nftables bug fix and enhancement update 2017-08-01 18:13:06 UTC

Description Phil Sutter 2016-11-29 16:56:06 UTC 
The following command crashes nft utility reproducibly:

# nft add rule ip6 test ftest ip6 nexthdr ipv6-frag counter

Analysis of the cause using gdb and looking at differences between version 0.6 and upstream (which works fine) shows we're missing the following commit:

commit 3503738f77cdbe521da1054a37f59ac2e442b4cf
Author: Florian Westphal <fw>
Date:   Mon Jun 6 21:52:28 2016 +0200

    payload: don't update protocol context if we can't find a description
    
    Since commit
    20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking")
    we deref null pointer if we can't find a description for the desired
    protocol, so "ip protocol 254" crashes while testing protocols 6 or 17
    (tcp, udp) works.
    
    Also add a test case for this.
    
    Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072
    Signed-off-by: Florian Westphal <fw>
    Acked-by: Pablo Neira Ayuso <pablo>
Comment 6 errata-xmlrpc 2017-08-01 18:56:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2047
Note You need to log in before you can comment on or make changes to this bug.