From patchwork Wed Nov 30 19:13:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710657 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=o+RP3Le0; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmW42j8z23nT for ; Thu, 1 Dec 2022 06:14:35 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229483AbiK3TOe (ORCPT ); Wed, 30 Nov 2022 14:14:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229512AbiK3TOd (ORCPT ); Wed, 30 Nov 2022 14:14:33 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61EBF62E8C for ; Wed, 30 Nov 2022 11:14:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jovq2wbxWZdDYrO7vYRD6TKEvmCNLYKADvqe6rpF6GI=; b=o+RP3Le0xhWgndPbiQVE5heYBI /oJncbkiw4Zh5NxuPgUovb8FOnQFxDg02fUY25wXtaCUGn1XEBB8gJlPz5FCusCGis6YgqORuDxba YJW16+xjYShQjSekyv9RnNQmWfVgKIgE76pu72DAGYDBEAsVtPkDEwuVkzV7Y95Ie6DcvD2k+Owkx hLqqrwmiBzhbHNIzxfwBXH5MZygnlqNkNdv+lAzMwbo1A8hKnVVb3ihSLNnjHhqZKj2BY6UD88aSc vDPIs27r3VwEFNjK1YSlPbKIm/G4jqfvBuO5BHTlR8xLQ13zUWPyBISDurp4zZgqyFczOrVF1K9eT Ad3Z8YUA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SXO-0001Bn-Du for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:31 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 1/9] tests: shell: Fix valgrind mode for 0008-unprivileged_0 Date: Wed, 30 Nov 2022 20:13:37 +0100 Message-Id: <20221130191345.14543-2-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Valgrind is run as user nobody, let everyone write into the temporary directory. Signed-off-by: Phil Sutter --- iptables/tests/shell/run-tests.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/iptables/tests/shell/run-tests.sh b/iptables/tests/shell/run-tests.sh index 7878760fdcc4d..7a80af3432285 100755 --- a/iptables/tests/shell/run-tests.sh +++ b/iptables/tests/shell/run-tests.sh @@ -122,7 +122,8 @@ EOF if [ "$VALGRIND" == "y" ]; then tmpd=$(mktemp -d) msg_info "writing valgrind logs to $tmpd" - chmod a+rx $tmpd + # let nobody write logs, too (././testcases/iptables/0008-unprivileged_0) + chmod 777 $tmpd printscript "$XTABLES_NFT_MULTI" "$tmpd" >${tmpd}/xtables-nft-multi printscript "$XTABLES_LEGACY_MULTI" "$tmpd" >${tmpd}/xtables-legacy-multi trap "rm ${tmpd}/xtables-*-multi" EXIT From patchwork Wed Nov 30 19:13:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710658 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=niPc19bQ; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmd5g3yz23nT for ; Thu, 1 Dec 2022 06:14:41 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229538AbiK3TOk (ORCPT ); Wed, 30 Nov 2022 14:14:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229512AbiK3TOj (ORCPT ); Wed, 30 Nov 2022 14:14:39 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD4425E9E8 for ; Wed, 30 Nov 2022 11:14:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5eVUrLt8Js/WyzfNAEmZd6kVg2Ltqwp9NwzpliUiKvU=; b=niPc19bQPCfK++hOkrtPTBLNho t8jleg4RLtaTUE4FfWazGD0+ZoEQMDkUjjPaL3XbWSj/9u7/47ch+lPONEXkCewkkkXyqICW+uAr0 Nf1wmo9DflP46OP3CjOVqQvYQO5sTdFKuLX/XtHjQrLZ3w0sSr2ovwJIaDaVrpiX4PLT6r8rkebyq pct6/igXYg7cUdieTxeSwFQTgmRQm32GdzZ6/8cb3gAcLEEDv94tPeFVHQnQzvxKi5R9uj0ZqTpbe B0LKAvD+82n98vv7li1tzWF/kVqjXAqstl2UnFNMzCXbqsjRZHJOKrfeMSjOXhkOVrEe3gNF+scub HJO8giag==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SXV-0001C8-3V for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:37 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 2/9] iptables-restore: Free handle with --test also Date: Wed, 30 Nov 2022 20:13:38 +0100 Message-Id: <20221130191345.14543-3-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When running 'iptables-restore -t', valgrind reports: 1,496 (160 direct, 1,336 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x4857A46: alloc_handle (libiptc.c:1279) by 0x4857A46: iptc_init (libiptc.c:1342) by 0x1167CE: create_handle (iptables-restore.c:72) by 0x1167CE: ip46tables_restore_main (iptables-restore.c:229) by 0x116DAE: iptables_restore_main (iptables-restore.c:388) by 0x49A2349: (below main) (in /lib64/libc.so.6) Free the handle pointer before parsing the next table. Fixes: 1c9015b2cb483 ("libiptc: remove indirections") Signed-off-by: Phil Sutter --- iptables/iptables-restore.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index 05661bf6ceee3..6f7ddf93b01bb 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -185,12 +185,12 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, if (!testing) { DEBUGP("Calling commit\n"); ret = cb->ops->commit(handle); - cb->ops->free(handle); - handle = NULL; } else { DEBUGP("Not calling commit, testing\n"); ret = 1; } + cb->ops->free(handle); + handle = NULL; /* Done with the current table, release the lock. */ if (lock >= 0) { From patchwork Wed Nov 30 19:13:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710655 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=BG4R3UHm; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmJ0qVnz23nT for ; Thu, 1 Dec 2022 06:14:24 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229472AbiK3TOW (ORCPT ); Wed, 30 Nov 2022 14:14:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229448AbiK3TOV (ORCPT ); Wed, 30 Nov 2022 14:14:21 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 563A25E3E5 for ; Wed, 30 Nov 2022 11:14:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=I4bi7CyOKnpmg63CYLTBJJKTpCEJ4w9k18R3W/OWgMo=; b=BG4R3UHm+LIUgA6uMabOxPxvWL xYnh9ncVT4jsh/PaPL5nTjoFXhy/yljDBUsd9xt1wT5P5clC1FRkMR1PyDWmjbnXmno18QF+F9dH9 J+WpQr6s7bV4Jsnydf00HW2AgjFQao1NkbDwf+ESYbSRfIki3qlm3JFeRtkZEYhsMFuMMszbt4QW7 j1PjrncXjtpLWMN/1gslEtYLu9u65PbKcgyo6rZxRfdpPIpW2DJ8fmiv3ZD6ldUTq5oo57jxiF2NV R9CxijCsSFtSTLS4yPuXzdANONC5K5zKQPZY3QsKFNqJGVBx8NF/YcYAHMRAAo0o6vjieq/4b7j+I xDozlBew==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SXD-0001Az-ME for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:19 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 3/9] iptables-xml: Free allocated chain strings Date: Wed, 30 Nov 2022 20:13:39 +0100 Message-Id: <20221130191345.14543-4-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Freeing only if 'created' is non-zero is wrong - the data was still allocated. In fact, the field is supposed to prevent only the call to openChain(). Fixes: 8d3eccb19a9c6 ("Add iptables-xml tool (Amin Azez )") Signed-off-by: Phil Sutter --- iptables/iptables-xml.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c index d28cf7481b55d..396c0a123ea08 100644 --- a/iptables/iptables-xml.c +++ b/iptables/iptables-xml.c @@ -225,13 +225,13 @@ finishChains(void) { int c; - for (c = 0; c < nextChain; c++) - if (!chains[c].created) { + for (c = 0; c < nextChain; c++) { + if (!chains[c].created) openChain(chains[c].chain, chains[c].policy, &(chains[c].count), '/'); - free(chains[c].chain); - free(chains[c].policy); - } + free(chains[c].chain); + free(chains[c].policy); + } nextChain = 0; } From patchwork Wed Nov 30 19:13:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710659 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=nwysA/by; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmk30Hkz23nT for ; Thu, 1 Dec 2022 06:14:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229568AbiK3TOp (ORCPT ); Wed, 30 Nov 2022 14:14:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229512AbiK3TOo (ORCPT ); Wed, 30 Nov 2022 14:14:44 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8A9F63D50 for ; Wed, 30 Nov 2022 11:14:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DICZhItptfZ9OVvefJInZmmbG9RmBjPNowkwLp+CT5E=; b=nwysA/byxpbDK1XxS3/azQ/ljk BTde3fjkG2fESyLWrdqYtfuWLxi/Kz/8vWqhPvvuHBYGtHjfzEa9B2l6fOtyAe6uGHjCL9KPld82O KOYKQd4RIwRI7P1XOFN635H7Ty7fvgLY73D7OMAw6KTAGlpq5/DFbo41AeFtybk61wv+i/8+sPG06 ojXQ/yocueUQuvS+i0zB6Y3JFmvz8CQ9s8ymOLa1Pqlknp6txt1SjqLclZ99w+OX01F43G45sERn3 SmiCVpnBG/cli3tv+thZMosSZt/7fMsCzIFydWicGvuN6jBYdJrAP/IuL1Q5TcFYMiW9K11lj5gTI 2EKWy2cA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SXa-0001CT-CV for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:42 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 4/9] nft: Plug memleak in nft_rule_zero_counters() Date: Wed, 30 Nov 2022 20:13:40 +0100 Message-Id: <20221130191345.14543-5-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When zeroing a specific rule, valgrind reports: 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x48DE128: xtables_calloc (xtables.c:434) by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071) by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236) by 0x119AF5: nft_rule_zero_counters (nft.c:2877) by 0x11A3CA: nft_prepare (nft.c:3445) by 0x11A7A8: nft_commit (nft.c:3479) by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94) by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118) by 0x49F2349: (below main) (in /lib64/libc.so.6) Have to free the matches/target in populated iptables_command_state object again. While being at it, call the proper family_ops callbacks since this is family-agnostic code. Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule") Signed-off-by: Phil Sutter --- iptables/nft.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 4af55341a210f..5def01ad6bfbc 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2873,10 +2873,11 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, goto error; } - nft_rule_to_iptables_command_state(h, r, &cs); - + h->ops->rule_to_cs(h, r, &cs); cs.counters.pcnt = cs.counters.bcnt = 0; new_rule = nft_rule_new(h, chain, table, &cs); + h->ops->clear_cs(&cs); + if (!new_rule) return 1; From patchwork Wed Nov 30 19:13:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710650 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=EHg0WYpr; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMplq1HfDz23nT for ; Thu, 1 Dec 2022 06:13:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229475AbiK3TN4 (ORCPT ); Wed, 30 Nov 2022 14:13:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229566AbiK3TNz (ORCPT ); Wed, 30 Nov 2022 14:13:55 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E24785803C for ; Wed, 30 Nov 2022 11:13:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4PAdxYaL4c9mIgfzDnntIUsSu4Xaoz277RfRCAcKvLM=; b=EHg0WYprmNi66mizTsz+hpaLZF hDjPkNMLukTNjgLdNGmVC8gB+HNI06Z9fvFCyOOnD5F2/WzsjgxWyHE5PZEgMtRdAAm4Hg8U5TQzl aExChkt24CmCyaf8Nsf5CyGZ5UZq2tMCHtyamNF/qPtId1cTlyyhB8fPE7y/PVyOM3YL9hViadTuR tLWOvCFGygARS1/uKTQQPjoTJtDE+pn1jxEgWiANBsxF2YKDMh9DPBp0Heeo6uVnHY/IetZ2T63uM OpAXs6L2HsuXe9Rw/72xa8xIA0GMVV7JFgstuENFQH2dPUczlWk5CnI5Q4NLVkcjVbZo9onZyDWKA sishQcsA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SWm-00019E-Ry for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:13:53 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 5/9] iptables: Plug memleaks in print_firewall() Date: Wed, 30 Nov 2022 20:13:41 +0100 Message-Id: <20221130191345.14543-6-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When adding a rule in verbose mode, valgrind prints: 192 bytes in 1 blocks are definitely lost in loss record 1 of 2 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x486B158: xtables_malloc (xtables.c:446) by 0x486C1F6: xtables_find_match (xtables.c:826) by 0x10E684: print_match (iptables.c:115) by 0x10E684: print_firewall (iptables.c:169) by 0x10FC0C: print_firewall_line (iptables.c:196) by 0x10FC0C: append_entry (iptables.c:221) by 0x10FC0C: do_command4 (iptables.c:776) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) 200 bytes in 1 blocks are definitely lost in loss record 2 of 2 at 0x48417E5: malloc (vg_replace_malloc.c:381) by 0x486B158: xtables_malloc (xtables.c:446) by 0x486BBD6: xtables_find_target (xtables.c:956) by 0x10E579: print_firewall (iptables.c:145) by 0x10FC0C: print_firewall_line (iptables.c:196) by 0x10FC0C: append_entry (iptables.c:221) by 0x10FC0C: do_command4 (iptables.c:776) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) If the match/target was cloned, it needs to be freed. Basically a bug since day 1. Signed-off-by: Phil Sutter --- iptables/ip6tables.c | 6 ++++++ iptables/iptables.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 062b2b152d554..1d2326570a71d 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m, printf("%s%s ", match->name, unsupported_rev); else printf("%s ", match->name); + + if (match->next == match) + free(match); } else { if (name[0]) printf("UNKNOWN match `%s' ", name); @@ -179,6 +182,9 @@ print_firewall(const struct ip6t_entry *fw, tg->print(&fw->ipv6, t, format & FMT_NUMERIC); else if (target->print) printf(" %s%s", target->name, unsupported_rev); + + if (target->next == target) + free(target); } else if (t->u.target_size != sizeof(*t)) printf("[%u bytes of unknown target data] ", (unsigned int)(t->u.target_size - sizeof(*t))); diff --git a/iptables/iptables.c b/iptables/iptables.c index 0351b39fb7e3e..d246198f49d27 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m, printf("%s%s ", match->name, unsupported_rev); else printf("%s ", match->name); + + if (match->next == match) + free(match); } else { if (name[0]) printf("UNKNOWN match `%s' ", name); @@ -178,6 +181,9 @@ print_firewall(const struct ipt_entry *fw, tg->print(&fw->ip, t, format & FMT_NUMERIC); else if (target->print) printf(" %s%s", target->name, unsupported_rev); + + if (target->next == target) + free(target); } else if (t->u.target_size != sizeof(*t)) printf("[%u bytes of unknown target data] ", (unsigned int)(t->u.target_size - sizeof(*t))); From patchwork Wed Nov 30 19:13:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710654 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=CBsRkFZ2; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmC2rKvz23nT for ; Thu, 1 Dec 2022 06:14:19 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229589AbiK3TOR (ORCPT ); Wed, 30 Nov 2022 14:14:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229448AbiK3TOQ (ORCPT ); Wed, 30 Nov 2022 14:14:16 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 011C762E8C for ; Wed, 30 Nov 2022 11:14:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=t1z2kGghzgtSeyENJQ3L/mLTDt8JL0/4Uy5vRFSqROE=; b=CBsRkFZ2lBILGoSwVUq/QI26X/ WEzYB4ZQWY1ByVGpGwNUzuQSbyzZO/jy0x2W3IMvciCpn0MqHhSkh60UlEBfOF+zNTR5DrPziP2mG 9OTZTyDZmRRBsMT0XPUmpPje7oDKD06+Y2xAO5q85WUgQi4l5bbji5W4Q5nbsBdlOg+LTSRtucpBB ulWFviDtq6WUrNHI4Vn2ehqsDom7tJ1SRAqgpz4+k/e7JLTEYmcvrt6XGk3TQ8uGwrrSmeOBjGFEb 2vpQBNJ+whWFzWcoHVOxy4rssJPYo3DO77rE/hkGphxWCmda4V1KBbTLqo96F5oB4IpfCTEnH/756 h4wqjDsA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SX8-0001Ab-9q for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:14 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 6/9] xtables: Introduce xtables_clear_iptables_command_state() Date: Wed, 30 Nov 2022 20:13:42 +0100 Message-Id: <20221130191345.14543-7-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This is nft_clear_iptables_command_state() but in a location reachable by legacy iptables, too. Changes callers in non-family-specific code to use clear_cs callback instead of directly calling it - ebtables still has a custom variant. Signed-off-by: Phil Sutter --- iptables/nft-arp.c | 4 ++-- iptables/nft-ipv4.c | 4 ++-- iptables/nft-ipv6.c | 4 ++-- iptables/nft-shared.c | 14 -------------- iptables/nft-shared.h | 1 - iptables/xshared.c | 17 +++++++++++++++++ iptables/xshared.h | 2 ++ iptables/xtables-translate.c | 2 +- iptables/xtables.c | 2 +- 9 files changed, 27 insertions(+), 23 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 59f100af2a6b9..d670cbe629fe4 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -490,7 +490,7 @@ nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); + xtables_clear_iptables_command_state(&cs); } static bool nft_arp_is_same(const struct iptables_command_state *cs_a, @@ -787,7 +787,7 @@ struct nft_family_ops nft_family_ops_arp = { }, .rule_to_cs = nft_rule_to_iptables_command_state, .init_cs = nft_arp_init_cs, - .clear_cs = nft_clear_iptables_command_state, + .clear_cs = xtables_clear_iptables_command_state, .parse_target = nft_ipv46_parse_target, .add_entry = nft_arp_add_entry, .delete_entry = nft_arp_delete_entry, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 6c62dd46dddac..42167351710e6 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -247,7 +247,7 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); + xtables_clear_iptables_command_state(&cs); } static void nft_ipv4_save_rule(const struct iptables_command_state *cs, @@ -454,7 +454,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { }, .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, - .clear_cs = nft_clear_iptables_command_state, + .clear_cs = xtables_clear_iptables_command_state, .xlate = nft_ipv4_xlate, .add_entry = nft_ipv4_add_entry, .delete_entry = nft_ipv4_delete_entry, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 98c35afa67ad9..3a373b7eb2cfe 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -211,7 +211,7 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); + xtables_clear_iptables_command_state(&cs); } static void nft_ipv6_save_rule(const struct iptables_command_state *cs, @@ -423,7 +423,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { }, .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, - .clear_cs = nft_clear_iptables_command_state, + .clear_cs = xtables_clear_iptables_command_state, .xlate = nft_ipv6_xlate, .add_entry = nft_ipv6_add_entry, .delete_entry = nft_ipv6_delete_entry, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 63d251986f65b..f1503b6ce0cbc 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -1293,20 +1293,6 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, return ret; } -void nft_clear_iptables_command_state(struct iptables_command_state *cs) -{ - xtables_rule_matches_free(&cs->matches); - if (cs->target) { - free(cs->target->t); - cs->target->t = NULL; - - if (cs->target == cs->target->next) { - free(cs->target); - cs->target = NULL; - } - } -} - void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy) { const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index e2c3ac7b0cc5c..07d39131cb0d6 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -216,7 +216,6 @@ void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); bool nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); -void nft_clear_iptables_command_state(struct iptables_command_state *cs); void print_matches_and_target(struct iptables_command_state *cs, unsigned int format); void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy); diff --git a/iptables/xshared.c b/iptables/xshared.c index d400dc595ea99..2a894c19a011d 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1356,6 +1356,23 @@ static const char *optstring_lookup(int family) return ""; } +void xtables_clear_iptables_command_state(struct iptables_command_state *cs) +{ + xtables_rule_matches_free(&cs->matches); + if (cs->target) { + free(cs->target->t); + cs->target->t = NULL; + + free(cs->target->udata); + cs->target->udata = NULL; + + if (cs->target == cs->target->next) { + free(cs->target); + cs->target = NULL; + } + } +} + void do_parse(int argc, char *argv[], struct xt_cmd_parse *p, struct iptables_command_state *cs, struct xtables_args *args) diff --git a/iptables/xshared.h b/iptables/xshared.h index bfae4b4e1b5d3..0ed9f3c29c600 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -130,6 +130,8 @@ struct iptables_command_state { bool restore; }; +void xtables_clear_iptables_command_state(struct iptables_command_state *cs); + typedef int (*mainfunc_t)(int, char **); struct subcommand { diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 4e8db4bedff88..e8d251b3162d9 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -336,7 +336,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], exit(1); } - nft_clear_iptables_command_state(&cs); + h->ops->clear_cs(&cs); if (h->family == AF_INET) { free(args.s.addr.v4); diff --git a/iptables/xtables.c b/iptables/xtables.c index 70924176df8c1..22d6ea58376fc 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -262,7 +262,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, *table = p.table; - nft_clear_iptables_command_state(&cs); + h->ops->clear_cs(&cs); free(args.s.addr.ptr); free(args.s.mask.ptr); From patchwork Wed Nov 30 19:13:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710651 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Uf36i+Ad; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMplv3lQmz23nT for ; Thu, 1 Dec 2022 06:14:03 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229566AbiK3TOC (ORCPT ); Wed, 30 Nov 2022 14:14:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbiK3TOA (ORCPT ); Wed, 30 Nov 2022 14:14:00 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E28525803C for ; Wed, 30 Nov 2022 11:13:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2vhSk1GNY4CVVA2Ll9QvL8F0T6hpfweB8UpiTk5LHHA=; b=Uf36i+AdWy8TBNCi9wud6/ijHh g7ScWUNjx6CFZpDHH3zOgNpy1qZvsgXz3ZXL1+HSn/BY2cyvg9kUYCcdJTBU6Uu2Ksxsr7Cr3rg8B duGczBA2JY0SB9ZjBEZfuYAWwi5pDyIioa23sbTat6/TZdi60WFBmquBtTgmnfN9WPGcGYsHBH/il A566FkHFnWvCAjl4974G74aj5OWPE9B0sOknk/+c+QSS/LRfygluKH3dpqqeJak9SxFaCEYXnKOzu thxiAgJk4uolIlH8c6X7AILhNmRk62/oFU51gA+avCX2jh+YE9/o3dvnhfrLNDRov2D10rtnffNAA gunh6GrA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SWs-00019Y-A5 for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:13:58 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 7/9] iptables: Properly clear iptables_command_state object Date: Wed, 30 Nov 2022 20:13:43 +0100 Message-Id: <20221130191345.14543-8-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When adding a rule with a target which defines a udata_size, valgrind prints: 8 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x486B128: xtables_calloc (xtables.c:434) by 0x1128B4: xs_init_target (xshared.c:238) by 0x113CD3: command_jump (xshared.c:877) by 0x114969: do_parse (xshared.c:1644) by 0x10EEB9: do_command4 (iptables.c:691) by 0x10E45B: iptables_main (iptables-standalone.c:59) by 0x49A2349: (below main) (in /lib64/libc.so.6) It is not sufficient to free cs.target->t, so call xtables_clear_iptables_command_state() which takes care of all the details. Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space") Signed-off-by: Phil Sutter --- iptables/ip6tables.c | 3 +-- iptables/iptables.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 1d2326570a71d..345af4519bfe7 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -778,7 +778,6 @@ int do_command6(int argc, char *argv[], char **table, xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw6, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -880,7 +879,7 @@ int do_command6(int argc, char *argv[], char **table, if (verbose > 1) dump_entries6(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e); diff --git a/iptables/iptables.c b/iptables/iptables.c index d246198f49d27..6f7b34762ea40 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -773,7 +773,6 @@ int do_command4(int argc, char *argv[], char **table, xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -875,7 +874,7 @@ int do_command4(int argc, char *argv[], char **table, if (verbose > 1) dump_entries(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e); From patchwork Wed Nov 30 19:13:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710652 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=I0bwTfnA; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpm03YYpz23nT for ; Thu, 1 Dec 2022 06:14:08 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229569AbiK3TOG (ORCPT ); Wed, 30 Nov 2022 14:14:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbiK3TOF (ORCPT ); Wed, 30 Nov 2022 14:14:05 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A5CE5E3E5 for ; Wed, 30 Nov 2022 11:14:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bSExz4b7AR8//FttX5rRnDNgGAOn29sKnoYZSvwidwY=; b=I0bwTfnAS7tK0e0ekgW/DtYCpN CgQd1UJxYSqtQp5vLiS85GB0srbCXAj3OXGlaLixYY1SlNAFk0I9pq1Ef+BP3AYckUAKiezJ3HSFb RFwviexkpMFJzkgapbnUoi1BId7z0whejlNLJXN+XmTyR4cLuc02dkh+6LWeqhH5aVl6javjnL9wp DpWlV/LZW8UFHOd+V4d7S+a+XeKYm8XWbF7qaAy2a8fDUuLqOWcApcZuPZ73EDvhcor0hSDCKCLEE dhIra1gtRG6N/kmy73XbaxFnP8FTIYgIwZw9ec5Q2Sf5SfcOYkCjSj2wJFXLHa1TYSSQZfaO/b6kP XEZ/h1KA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SWx-00019z-Ko for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:03 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 8/9] xshared: Free data after printing help Date: Wed, 30 Nov 2022 20:13:44 +0100 Message-Id: <20221130191345.14543-9-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This is merely to make valgrind happy, but less noise means less real issues missed. Signed-off-by: Phil Sutter --- iptables/xshared.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/iptables/xshared.c b/iptables/xshared.c index 2a894c19a011d..f93529b11a319 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1543,6 +1543,9 @@ void do_parse(int argc, char *argv[], XTF_TRY_LOAD, &cs->matches); xtables_printhelp(cs->matches); + xtables_clear_iptables_command_state(cs); + xtables_free_opts(1); + xtables_fini(); exit(0); /* From patchwork Wed Nov 30 19:13:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1710656 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=og5C4o8k; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4NMpmN4qMJz23nT for ; Thu, 1 Dec 2022 06:14:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229448AbiK3TO1 (ORCPT ); Wed, 30 Nov 2022 14:14:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229613AbiK3TO1 (ORCPT ); Wed, 30 Nov 2022 14:14:27 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B666B62E8C for ; Wed, 30 Nov 2022 11:14:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nsbi1ZNj67NQtY9RqGE+fQD3PpkE4QkX/XH8Z/PmN64=; b=og5C4o8k91wi2ctP7g+dAFqYQF K4BaOpY4DZJPes+Hak/smHAC75jHDFmI2qaI6KjT2PsqiThxyY2rK/PK+tKmrOKKRF1NRGt1xOuX3 HapgOFPVI8reaTp9UzzEmjhDl4WPI58PnOs0ceG19YFwU9fxbxW4jVLN7eHsfrwliBC19SRh4bTHp dmVANSLDgy4bYcUXcltUxX8uwM3CIR8jUBPhNzx4A0hG3RQftSTbVTATcc4Tnu5gAt1rwSWuTBdWk Ecaqoxrema039XgpW/ciYYju3OTCk7FbDVLeF1VJSCLdnb9xBZ/kje3DUGu4DjstEo8c/+m7LoKKf x1opcMKw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1p0SXJ-0001BP-2f for netfilter-devel@vger.kernel.org; Wed, 30 Nov 2022 20:14:25 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 9/9] libiptc: Eliminate garbage access Date: Wed, 30 Nov 2022 20:13:45 +0100 Message-Id: <20221130191345.14543-10-phil@nwl.cc> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221130191345.14543-1-phil@nwl.cc> References: <20221130191345.14543-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When adding a rule, valgrind prints: Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s) at 0x4A8165A: setsockopt (in /lib64/libc.so.6) by 0x4857A48: iptc_commit (libiptc.c:2676) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) Address 0x4b63788 is 40 bytes inside a block of size 1,448 alloc'd at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x4857654: iptc_commit (libiptc.c:2564) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) This is because repl->counters is not initialized upon allocation. Since the field is an array, make use of calloc() which implicitly does the initialization. Fixes: e37c0dc100c51 ("Revert the recent addition of memset()'s to TC_COMMIT. One of them is bogus and the other one needs more investigation to why valgrind is complaining.") Signed-off-by: Phil Sutter --- libiptc/libiptc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 97823f935d1ee..f9b7779efdba5 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -2554,8 +2554,8 @@ TC_COMMIT(struct xtc_handle *handle) + sizeof(STRUCT_COUNTERS) * new_number; /* These are the old counters we will get from kernel */ - repl->counters = malloc(sizeof(STRUCT_COUNTERS) - * handle->info.num_entries); + repl->counters = calloc(handle->info.num_entries, + sizeof(STRUCT_COUNTERS)); if (!repl->counters) { errno = ENOMEM; goto out_free_repl;