Bug 205928 - Ipfw segmentation fault with nat command
Summary: Ipfw segmentation fault with nat command
Status: Closed DUPLICATE of bug 203494
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.1-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-05 18:25 UTC by mk+freebsd
Modified: 2016-01-09 09:45 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description mk+freebsd 2016-01-05 18:25:03 UTC 
I was testing nat with ipfw, and during my test (reading example file), a segmentation fault was found after executing one example command.

Here the bug:
----------------------------------------------------------------------
$ ipfw add nat
Segmentation fault
$ echo $?
139
----------------------------------------------------------------------

Here a small investigation:
----------------------------------------------------------------------
# cd /usr/src/sbin/ipfw
# make DEBUG_FLAGS=-g
$ gdb ./ipfw
(gdb) run add nat
Program received signal SIGSEGV, Segmentation fault.
0x0000000800b85fbb in strlen () from /lib/libc.so.7
(gdb) i r
rax            0x1b     27
rbx            0x6183f0 6390768
rcx            0x0      0
rdx            0x0      0
rsi            0x0      0
rdi            0x0      0
rbp            0x7fffffffd2e0   0x7fffffffd2e0
rsp            0x7fffffffd2e0   0x7fffffffd2e0
r8             0xfffff80235122920       -8786612704992
r9             0x0      0
r10            0x0      0
r11            0x246    582
r12            0x801406050      34380734544
r13            0x801406058      34380734552
r14            0x0      0
r15            0x3      3
rip            0x800b85fbb      0x800b85fbb <strlen+11>
eflags         0x10246  66118
cs             0x43     67
ss             0x3b     59
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) bt
#0  0x0000000800b85fbb in strlen () from /lib/libc.so.7
#1  0x0000000000405c43 in ipfw_add (av=0x801406058) at ipfw2.c:527
#2  0x0000000000410182 in ipfw_main (oldac=<value optimized out>,
       oldav=<value optimized out>)
    at main.c:407
    #3  0x000000000040f55b in main (ac=3, av=0x7fffffffe688) at
       main.c:620
----------------------------------------------------------------------

after adding some c code into main.c:
----------------------------------------------------------------------
$ svnlite diff ipfw2.c
Index: ipfw2.c
===================================================================
--- ipfw2.c     (revision 291749)
+++ ipfw2.c     (working copy)
@@ -522,6 +522,7 @@
 int
 _substrcmp(const char *str1, const char* str2)
 {
+       printf("str1: %s, str2: %s\n", str1, str2);
 
        if (strncmp(str1, str2, strlen(str1)) != 0)
                return 1;
@@ -2865,6 +2866,7 @@
         * Some things that need to go out of order (prob, action etc.)
         * go into actbuf[].
         */
+       printf("in\n");
        static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
        int rblen, ablen, cblen;
----------------------------------------------------------------------

This code return this:
----------------------------------------------------------------------
str1: add, str2: queue
str1: add, str2: flowset
str1: add, str2: sched
str1: add, str2: add
before: 
in
str1: (null), str2: global
Segmentation fault
----------------------------------------------------------------------

So, ipfw try to compare a null-pointer to a const char* in strncmp() function. I don't know if this segmentation fault is due to this last function, or linked to another issue.

If you have any idea. ;)
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:45:42 UTC 
Hi, this is already fixed. Thanks!

*** This bug has been marked as a duplicate of bug 203494 ***