Package: nftables Version: 0.9.8-3.1 Severity: normal Tags: upstream There's an off-by-one error in the part of error-reporting code keeps track of the possible places where an error may occur which may result in memory- corruption and double frees.
Here's a somewhat contrived example: # nft add table ip6 t # nft add chain ip6 t c # nft add rule ip6 t c \ > meta l4proto tcp \ > tcp flags syn \ > tcp option sack-perm kind 1 \ > tcp option window kind 1 \ > tcp option nop kind 1 \ > tcp option maxseg count 1234 \ > tcp option sack kind 1 \ > tcp option eol kind 1 \ > tcp dport 12345 \ > ip6 saddr :: \ > ip6 daddr :: \ > ip6 dscp af11 \ > ip6 dscp set af12 \ > counter log free(): invalid pointer Aborted Valgrind shows this: Invalid free() / delete / delete[] / realloc() at 0x484217B: free (vg_replace_malloc.c:872) by 0x488F969: cmd_free (rule.c:1673) by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485) by 0x10A8C5: main (main.c:489) Address 0x4c90a18 is 24 bytes inside a block of size 120 free'd at 0x484217B: free (vg_replace_malloc.c:872) by 0x4892193: stmt_free (statement.c:54) by 0x4892193: stmt_list_free (statement.c:63) by 0x488F9C7: rule_free (rule.c:688) by 0x488F9C7: rule_free (rule.c:684) by 0x488F9C7: cmd_free (rule.c:1639) by 0x48C0B47: nft_run_cmd_from_buffer (libnftables.c:485) by 0x10A8C5: main (main.c:489) Block was alloc'd at at 0x48445EF: calloc (vg_replace_malloc.c:1328) by 0x48B9BBD: xmalloc (utils.c:36) by 0x48B9BBD: xzalloc (utils.c:65) by 0x489248D: stmt_alloc (statement.c:41) by 0x489248D: log_stmt_alloc (statement.c:404) by 0x48D7E52: nft_parse (parser_bison.y:2808) by 0x48C0C16: nft_parse_bison_buffer (libnftables.c:389) by 0x48C0C16: nft_run_cmd_from_buffer (libnftables.c:461) by 0x10A8C5: main (main.c:489) This has been fixed upstream: https://lore.kernel.org/netfilter-devel/20210611164104.8121-11-p...@nwl.cc/ -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (900, 'stable'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (99, 'unstable'), (90, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.0-rc3-nf-next-ulthar-20220707+ (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nftables depends on: ii dpkg 1.21.9 ii libc6 2.33-8 ii libedit2 3.1-20210910-1 ii libnftables1 0.9.8-3.1 nftables recommends no packages. Versions of packages nftables suggests: pn firewalld <none> -- no debconf information