Bug#838370: mxml: 2.10 seems to break libnftnl XML integration

[Arturo Borrero Gonzalez]

On 20 September 2016 at 15:02, Arturo Borrero Gonzalez
<arturo.borrero.g...@gmail.com> wrote:
>
> The debian continuous integration system reported issues with
> libnftnl which led me to the mxml.

More info,

it was able to run valgrind and gdb over the failing program.

Here is the trace gdb backtrace:

[...]
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff779b124 in ?? () from /usr/lib/x86_64-linux-gnu/libmxml.so.1
(gdb) bt
#0  0x00007ffff779b124 in ?? () from /usr/lib/x86_64-linux-gnu/libmxml.so.1
#1  0x00007ffff779b4ac in mxmlSaveString () from
/usr/lib/x86_64-linux-gnu/libmxml.so.1
#2  0x00007ffff779b556 in mxmlSaveAllocString () from
/usr/lib/x86_64-linux-gnu/libmxml.so.1
#3  0x00007ffff7bc069d in nftnl_mxml_expr_parse
(node=node@entry=0x60cc20, err=err@entry=0x60b050,
set_list=set_list@entry=0x60b2d0) at mxml.c:83
#4  0x00007ffff7bb9997 in nftnl_mxml_rule_parse (tree=0x60c7a0,
r=r@entry=0x60d8c0, err=err@entry=0x60b050, set_list=0x60b2d0) at
rule.c:667
#5  0x00007ffff7bbeb83 in nftnl_ruleset_parse_rules
(ctx=ctx@entry=0x7fffffffd460, err=err@entry=0x60b050) at
ruleset.c:445
#6  0x00007ffff7bbf0db in nftnl_ruleset_xml_parse_ruleset
(err=0x60b050, ctx=0x7fffffffd460) at ruleset.c:626
#7  nftnl_ruleset_xml_parse_cmd (ctx=0x7fffffffd460, err=0x60b050,
cmd=<optimized out>) at ruleset.c:665
#8  nftnl_ruleset_xml_parse (cb=<optimized out>, arg=<optimized out>,
type=NFTNL_PARSE_XML, input=<optimized out>, err=0x60b050,
xml=<optimized out>)
    at ruleset.c:704
#9  nftnl_ruleset_do_parse (type=<optimized out>, data=<optimized
out>, err=0x60b050, input=<optimized out>, arg=<optimized out>,
cb=<optimized out>)
    at ruleset.c:732
#10 0x000000000040139a in test_xml
(filename=filename@entry=0x7fffffffd520 "xmlfiles/66-rule-real.xml",
err=err@entry=0x60b050) at nft-parsing-test.c:166
#11 0x00000000004016d5 in execute_test (dir_name=0x7fffffffe8a7
"xmlfiles") at nft-parsing-test.c:214
#12 0x0000000000400e9b in main (argc=<optimized out>,
argv=0x7fffffffe668) at nft-parsing-test.c:330

Here is the valgrind run:

% valgrind .libs/nft-parsing-test -d xmlfiles
==11111== Memcheck, a memory error detector
==11111== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11111== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==11111== Command: .libs/nft-parsing-test -d xmlfiles
==11111==
==11111== Invalid read of size 8
==11111==    at 0x5276124: ??? (in /usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x52764AB: mxmlSaveString (in
/usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x5276555: mxmlSaveAllocString (in
/usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x4E4F69C: nftnl_mxml_expr_parse (mxml.c:83)
==11111==    by 0x4E48996: nftnl_mxml_rule_parse (rule.c:667)
==11111==    by 0x4E4DB82: nftnl_ruleset_parse_rules (ruleset.c:445)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse_ruleset (ruleset.c:626)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse_cmd (ruleset.c:665)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse (ruleset.c:704)
==11111==    by 0x4E4E0DA: nftnl_ruleset_do_parse (ruleset.c:732)
==11111==    by 0x401399: test_xml (nft-parsing-test.c:166)
==11111==    by 0x4016D4: execute_test (nft-parsing-test.c:214)
==11111==    by 0x400E9A: main (nft-parsing-test.c:330)
==11111==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
==11111==
==11111==
==11111== Process terminating with default action of signal 11 (SIGSEGV)
==11111==  Access not within mapped region at address 0x30
==11111==    at 0x5276124: ??? (in /usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x52764AB: mxmlSaveString (in
/usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x5276555: mxmlSaveAllocString (in
/usr/lib/x86_64-linux-gnu/libmxml.so.1.5)
==11111==    by 0x4E4F69C: nftnl_mxml_expr_parse (mxml.c:83)
==11111==    by 0x4E48996: nftnl_mxml_rule_parse (rule.c:667)
==11111==    by 0x4E4DB82: nftnl_ruleset_parse_rules (ruleset.c:445)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse_ruleset (ruleset.c:626)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse_cmd (ruleset.c:665)
==11111==    by 0x4E4E0DA: nftnl_ruleset_xml_parse (ruleset.c:704)
==11111==    by 0x4E4E0DA: nftnl_ruleset_do_parse (ruleset.c:732)
==11111==    by 0x401399: test_xml (nft-parsing-test.c:166)
==11111==    by 0x4016D4: execute_test (nft-parsing-test.c:214)
==11111==    by 0x400E9A: main (nft-parsing-test.c:330)
==11111==  If you believe this happened as a result of a stack
==11111==  overflow in your program's main thread (unlikely but
==11111==  possible), you can try to increase the size of the
==11111==  main thread stack using the --main-stacksize= flag.
==11111==  The main thread stack size used in this run was 8388608.
==11111==
==11111== HEAP SUMMARY:
==11111==     in use at exit: 37,521 bytes in 86 blocks
==11111==   total heap usage: 96 allocs, 10 frees, 42,193 bytes allocated
==11111==
==11111== LEAK SUMMARY:
==11111==    definitely lost: 0 bytes in 0 blocks
==11111==    indirectly lost: 0 bytes in 0 blocks
==11111==      possibly lost: 0 bytes in 0 blocks
==11111==    still reachable: 37,521 bytes in 86 blocks
==11111==         suppressed: 0 bytes in 0 blocks
==11111== Rerun with --leak-check=full to see details of leaked memory
==11111==
==11111== For counts of detected and suppressed errors, rerun with: -v
==11111== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

The program that produces the segfault is nft-parsing-test inside the
libnftnl tree, under tests/, running it like this:
 libnftnl/tests/ % ./nft-parsing-test -d xmlfiles

regards
-- 
Arturo Borrero González