Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 182380 - net-firewall/iptables-1.3.5-r4 - double free on rules load
Summary: net-firewall/iptables-1.3.5-r4 - double free on rules load
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-17 19:58 UTC by Christian Anthon
Modified: 2007-08-25 16:23 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Anthon 2007-06-17 19:58:06 UTC 
When I load this rule
iptables -A INPUT -p udp --dport 51321 -m udp -j ACCEPT
I get a double free error

net-firewall/iptables-1.3.5-r4 

Reproducible: Always

Steps to Reproduce:
run the following script

iptables -X
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -s 192.168.2.0/255.255.255.0 -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,51321 -m tcp -j ACCEPT 
#iptables -A INPUT -p udp --dport 51321 -m udp -j ACCEPT 
iptables -A INPUT -p udp --dport 51321 -j ACCEPT 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -m limit --limit 10/min -j LOG 

Actual Results:  
double free

Expected Results:  
-

GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run  -A INPUT -p udp --dport 51321 -m udp -j ACCEPT
Starting program: /sbin/iptables -A INPUT -p udp --dport 51321 -m udp -j ACCEPT
*** glibc detected *** /sbin/iptables: double free or corruption (fasttop): 0x08055250 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7e50c42]
/lib/libc.so.6(__libc_free+0x87)[0xb7e522b7]
/sbin/iptables(clear_rule_matches+0x26)[0x8049f66]
/sbin/iptables(do_command+0x117f)[0x804d84f]
/sbin/iptables(main+0x79)[0x8049ca9]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb7e0383c]
/sbin/iptables[0x8049ba1]
======= Memory map: ========
08048000-08053000 r-xp 00000000 03:04 408013     /sbin/iptables
08053000-08054000 rw-p 0000a000 03:04 408013     /sbin/iptables
08054000-08075000 rw-p 08054000 00:00 0          [heap]
4c7b3000-4c7bd000 r-xp 00000000 03:04 1762744    /usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libgcc_s.so.1
4c7bd000-4c7be000 rw-p 00009000 03:04 1762744    /usr/lib/gcc/i686-pc-linux-gnu/4.1.2/libgcc_s.so.1
b7c00000-b7c21000 rw-p b7c00000 00:00 0 
b7c21000-b7d00000 ---p b7c21000 00:00 0 
b7de3000-b7deb000 r-xp 00000000 03:04 1830243    /lib/libnss_files-2.5.so
b7deb000-b7dec000 r--p 00007000 03:04 1830243    /lib/libnss_files-2.5.so
b7dec000-b7ded000 rw-p 00008000 03:04 1830243    /lib/libnss_files-2.5.so
b7ded000-b7dee000 rw-p b7ded000 00:00 0 
b7dee000-b7f0e000 r-xp 00000000 03:04 1830256    /lib/libc-2.5.so
b7f0e000-b7f10000 r--p 00120000 03:04 1830256    /lib/libc-2.5.so
b7f10000-b7f11000 rw-p 00122000 03:04 1830256    /lib/libc-2.5.so
b7f11000-b7f14000 rw-p b7f11000 00:00 0 
b7f14000-b7f26000 r-xp 00000000 03:04 1830250    /lib/libnsl-2.5.so
b7f26000-b7f27000 r--p 00011000 03:04 1830250    /lib/libnsl-2.5.so
b7f27000-b7f28000 rw-p 00012000 03:04 1830250    /lib/libnsl-2.5.so
b7f28000-b7f2a000 rw-p b7f28000 00:00 0 
b7f2a000-b7f2c000 r-xp 00000000 03:04 867695     /lib/libdl-2.5.so
b7f2c000-b7f2d000 r--p 00001000 03:04 867695     /lib/libdl-2.5.so
b7f2d000-b7f2e000 rw-p 00002000 03:04 867695     /lib/libdl-2.5.so
b7f3b000-b7f3c000 r-xp 00000000 03:04 409552     /lib/iptables/libipt_standard.so
b7f3c000-b7f3d000 rw-p 00000000 03:04 409552     /lib/iptables/libipt_standard.so
b7f3d000-b7f3e000 r-xp 00000000 03:04 410402     /lib/iptables/libipt_udp.so
b7f3e000-b7f3f000 rw-p 00000000 03:04 410402     /lib/iptables/libipt_udp.so
b7f3f000-b7f40000 rw-p b7f3f000 00:00 0 
b7f40000-b7f41000 r-xp b7f40000 00:00 0          [vdso]
b7f41000-b7f5b000 r-xp 00000000 03:04 1830255    /lib/ld-2.5.so
b7f5b000-b7f5c000 r--p 00019000 03:04 1830255    /lib/ld-2.5.so
b7f5c000-b7f5d000 rw-p 0001a000 03:04 1830255    /lib/ld-2.5.so
bfa5d000-bfa73000 rw-p bfa5d000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0xb7f40410 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7f40410 in __kernel_vsyscall ()
#1  0xb7e16480 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb7e17bae in *__GI_abort () at abort.c:88
#3  0xb7e4b1a5 in __libc_message (do_abort=2, fmt=0xb7efb5c0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0xb7e50c42 in malloc_printerr (action=2, str=0xb7efb654 "double free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:5758
#5  0xb7e522b7 in *__GI___libc_free (mem=0x8055250) at malloc.c:3541
#6  0x08049f66 in clear_rule_matches (matches=0xbfa6f51c) at iptables.c:1804
#7  0x0804d84f in do_command (argc=11, argv=0xbfa6f624, table=0xbfa6f574, handle=0xbfa6f570) at iptables.c:2495
#8  0x08049ca9 in main (argc=Cannot access memory at address 0x5077
) at iptables-standalone.c:63
Comment 1 Christian Anthon 2007-06-17 20:01:06 UTC 
The offending line is commented out in the attached script. It is obviously this script I mean
iptables -X
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -s 192.168.2.0/255.255.255.0 -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,51321 -m tcp -j ACCEPT 
iptables -A INPUT -p udp --dport 51321 -m udp -j ACCEPT 
#iptables -A INPUT -p udp --dport 51321 -j ACCEPT 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -m limit --limit 10/min -j LOG 
In reply to comment #0)
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-06-17 20:12:46 UTC 
emerge --info please.
Comment 3 Christian Anthon 2007-06-17 20:16:32 UTC 
It is an amd64 running 32 bit gentoo, should that matter.

Portage 2.1.2.7 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r3, 2.6.20-gentoo-r8 i686)
=================================================================
System uname: 2.6.20-gentoo-r8 i686 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 15 Jun 2007 07:30:10 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -ggdb -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=k8 -ggdb -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer nostrip parallel-fetch sandbox sfperms strict"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo "
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LINGUAS="en da de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X aac acl alsa apache2 apm bash-completion berkdb bitmap-fonts bogofilter branding bzip2 cairo cdparanoia cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread emacs esd expat ffmpeg firefox flac fortran gcj gd gdbm gif gimpprint gmp gnome gpm graphviz gs gstreamer gtk gtkhtml hal iconv imlib isdnlog java jpeg kde libg++ mad midi mmx mmxext mp3 mpeg mudflap ncurses nls nptl nptlonly nsplugin nvidia offensive ogg opengl openmp oss pam pcre perl pic png pppd python qt3 qt3support qt4 quicktime readline real reflection sdl session spell spl sqlite sse sse2 ssl suid svg t1lib tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb vorbis win32codecs wmf x86 xine xml xorg xpm xprint xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en da de" USERLAND="GNU" VIDEO_CARDS="nvida nv vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-06-17 20:21:09 UTC 
Reopen.
Comment 5 SpanKY gentoo-dev 2007-06-18 07:55:40 UTC 
so why dont you try iptables-1.3.7
Comment 6 SpanKY gentoo-dev 2007-08-25 16:23:19 UTC 
re-open if it doesnt work with 1.3.8