Message ID | 20210615160151.10594-2-fw@strlen.de |
---|---|
State | Accepted, archived |
Delegated to: | Pablo Neira |
Headers | show |
Series | fix icmpv6 id dependeny handling | expand |
Hi, On Tue, Jun 15, 2021 at 06:01:49PM +0200, Florian Westphal wrote: > Pablo reports following input and output: > in: icmpv6 id 1 > out: icmpv6 type { echo-request, echo-reply } icmpv6 parameter-problem 65536/16 > > Reason is that icmp fields overlap, decoding of the correct name requires > check of the icmpv6 type. This only works for equality tests, for > instance > > in: icmpv6 type echo-request icmpv6 id 1 > will be listed as "icmpv6 id 1" (which is not correct either, since the > input only matches on echo-request). > > with this patch, output of 'icmpv6 id 1' is > icmpv6 type { echo-request, echo-reply } icmpv6 id 1 > > The second problem, the removal of a single check (request OR reply), > is resolved in the followup patch. > > Signed-off-by: Florian Westphal <fw@strlen.de> Eric reported a testcase in which this patch seems to cause a segfault (bisected). The test is as simple as: | nft -f - <<EOF | add table inet firewalld_check_rule_index | add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; } | add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept | add rule inet firewalld_check_rule_index foobar accept | insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept | EOF But a ruleset is in place at this time. Also, I can't reproduce it on my own machine but only on Eric's VM for testing. [...] > static void payload_match_postprocess(struct rule_pp_ctx *ctx, > struct expr *expr, > struct expr *payload) > @@ -1883,6 +1932,19 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, > if (expr->right->etype == EXPR_VALUE) { > payload_match_expand(ctx, expr, payload); > break; > + } else if (expr->right->etype == EXPR_SET_REF) { > + struct set *set = expr->right->set; > + > + if (set_is_anonymous(set->flags) && > + !list_empty(&set->init->expressions)) { According to GDB, set->init is NULL here. I am not familiar with recent changes in cache code, maybe there's the actual culprit: Debug printf in cache_init_objects() states flags variable is 0x4000005f, i.e. NFT_CACHE_SETELEM_BIT is not set. I am not sure if caching is incomplete and we need that bit or if the above code should expect sets with missing elements and therefore check 'set->init != NULL' before accessing expressions field. Cheers, Phil
Phil Sutter <phil@nwl.cc> wrote: > > will be listed as "icmpv6 id 1" (which is not correct either, since the > > input only matches on echo-request). > > > > with this patch, output of 'icmpv6 id 1' is > > icmpv6 type { echo-request, echo-reply } icmpv6 id 1 > > > > The second problem, the removal of a single check (request OR reply), > > is resolved in the followup patch. > > > > Signed-off-by: Florian Westphal <fw@strlen.de> > > Eric reported a testcase in which this patch seems to cause a segfault > (bisected). The test is as simple as: > > | nft -f - <<EOF > | add table inet firewalld_check_rule_index > | add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; } > | add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept > | add rule inet firewalld_check_rule_index foobar accept > | insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept > | EOF > > But a ruleset is in place at this time. Also, I can't reproduce it on my > own machine but only on Eric's VM for testing. You need to add a ruleset with icmp id 42 then it will crash. adding 'list ruleset' before EOF avoids it, because cache gets populated. > I am not familiar with recent changes in cache code, maybe there's the > actual culprit: Debug printf in cache_init_objects() states flags > variable is 0x4000005f, i.e. NFT_CACHE_SETELEM_BIT is not set. > > I am not sure if caching is incomplete and we need that bit or if the > above code should expect sets with missing elements and therefore check > 'set->init != NULL' before accessing expressions field. I think correct fix is to check set->init, we don't need to do postprocessing if its not going to be printed.
Phil Sutter <phil@nwl.cc> wrote: > Eric reported a testcase in which this patch seems to cause a segfault > (bisected). The test is as simple as: I've pushed fix and a test case.
Hey, On Wed, Jun 30, 2021 at 05:58:26PM +0200, Florian Westphal wrote: > Phil Sutter <phil@nwl.cc> wrote: > > Eric reported a testcase in which this patch seems to cause a segfault > > (bisected). The test is as simple as: > > I've pushed fix and a test case. Awesome, thanks for the quick patch and test case! Cheers, Phil
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 9a1cf3c4f7d9..2785a9490682 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1819,9 +1819,6 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, enum proto_bases base = left->payload.base; bool stacked; - if (ctx->pdctx.icmp_type) - ctx->pctx.th_dep.icmp.type = ctx->pdctx.icmp_type; - payload_expr_expand(&list, left, &ctx->pctx); list_for_each_entry(left, &list, list) { @@ -1868,6 +1865,58 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, ctx->stmt = NULL; } +static void payload_icmp_check(struct rule_pp_ctx *rctx, struct expr *expr, const struct expr *value) +{ + const struct proto_hdr_template *tmpl; + const struct proto_desc *desc; + uint8_t icmp_type; + unsigned int i; + + assert(expr->etype == EXPR_PAYLOAD); + assert(value->etype == EXPR_VALUE); + + if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR) + return; + + /* icmp(v6) type is 8 bit, if value is smaller or larger, this is not + * a protocol dependency. + */ + if (expr->len != 8 || value->len != 8 || rctx->pctx.th_dep.icmp.type) + return; + + desc = rctx->pctx.protocol[expr->payload.base].desc; + if (desc == NULL) + return; + + /* not icmp? ignore. */ + if (desc != &proto_icmp && desc != &proto_icmp6) + return; + + assert(desc->base == expr->payload.base); + + icmp_type = mpz_get_uint8(value->value); + + for (i = 1; i < array_size(desc->templates); i++) { + tmpl = &desc->templates[i]; + + if (tmpl->len == 0) + return; + + if (tmpl->offset != expr->payload.offset || + tmpl->len != expr->len) + continue; + + /* Matches but doesn't load a protocol key -> ignore. */ + if (desc->protocol_key != i) + return; + + expr->payload.desc = desc; + expr->payload.tmpl = tmpl; + rctx->pctx.th_dep.icmp.type = icmp_type; + return; + } +} + static void payload_match_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, struct expr *payload) @@ -1883,6 +1932,19 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, if (expr->right->etype == EXPR_VALUE) { payload_match_expand(ctx, expr, payload); break; + } else if (expr->right->etype == EXPR_SET_REF) { + struct set *set = expr->right->set; + + if (set_is_anonymous(set->flags) && + !list_empty(&set->init->expressions)) { + struct expr *elem; + + elem = list_first_entry(&set->init->expressions, struct expr, list); + + if (elem->etype == EXPR_SET_ELEM && + elem->key->etype == EXPR_VALUE) + payload_icmp_check(ctx, payload, elem->key); + } } /* Fall through */ default:
Pablo reports following input and output: in: icmpv6 id 1 out: icmpv6 type { echo-request, echo-reply } icmpv6 parameter-problem 65536/16 Reason is that icmp fields overlap, decoding of the correct name requires check of the icmpv6 type. This only works for equality tests, for instance in: icmpv6 type echo-request icmpv6 id 1 will be listed as "icmpv6 id 1" (which is not correct either, since the input only matches on echo-request). with this patch, output of 'icmpv6 id 1' is icmpv6 type { echo-request, echo-reply } icmpv6 id 1 The second problem, the removal of a single check (request OR reply), is resolved in the followup patch. Signed-off-by: Florian Westphal <fw@strlen.de> --- v2: make sure dependency set candidate a) has elements and b) is anonymous. src/netlink_delinearize.c | 68 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 3 deletions(-)