OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To
    Hans Dedecker
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version openwrt-18.06
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by xavifr - 01.10.2018
Last edited by Hans Dedecker - 01.10.2018

FS#1875 - netifd: segmentation fault when using _network rules_

Using openwrt-18.06 in a Linksys WRT1200-AC

I have a rule in my config_network with an out option inside

config rule 
	option out 'wan'
	option lookup '102'
	option priority '21000'

and an usb interface like this one

config interface 'usb'
	option auto '0'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option pincode ''
	option apn ''
	option username 'MOVISTAR'
	option password 'MOVISTAR'

When the wan interface is not yet up (dhcp failed/cable not connected/etc) and I try to bring up usb interface, netifd crashes with a segmentation fault.

After a lot of tries, I’ve removed the config rule and it started working.

I’ve followed the execution to locate where the segmentation fault happens and I’ve found the following path:

 179         vlist_for_each_element(&iprules, rule, node) {
 180                 if (rule_ready(rule))
 181                         continue;
 183                 if (!strcmp(rule->out_iface, iface->name)) {
 184                         memcpy(rule->out_dev, iface->>ifname, sizeof(rule->out_dev));
 185                         interface_add_user(&rule->out_iface_user, iface);
 186                 }
 188                 if (!strcmp(rule->in_iface, iface->name)) {
 189                         memcpy(rule->in_dev, iface->>ifname, sizeof(rule->in_dev));
 190                         interface_add_user(&rule->in_iface_user, iface);
 191                 }
 192         }

At line 180, rule_ready(rule) returns false if at lease one of in_iface or out_iface are set (with appropriate flag).
When comparing at line 183 and 188, out_iface could be NULL if the rule had only in_iface and vice-versa at line 188, so strcmp will throw a segmentation fault

I see two approaches to fix that:

  • Check rule flags for IPRULE_IN/OUT before strcmp
  • Check if rule→in/out_iface are not NULL before strcmp
Closed by  Hans Dedecker
01.10.2018 20:35
Reason for closing:  Fixed
Additional comments about closing:  

Fixed in commit https://git.op;a=commit ;h=aeec2a0c6b6bc16a2e43de8f79ddee1bf3d1a f40


Available keyboard shortcuts


Task Details

Task Editing