GNOME Bugzilla – Bug 797022
NULL pointer deref in add_ip_config (src/dns/nm-dns-dnsmasq.c:186) because ip_data->domains.reverse is NULL
Last modified: 2018-09-14 08:05:02 UTC
Backtrace:
+ Trace 238677
The code in question: for (j = 0; ip_data->domains.reverse[j]; j++) { add_dnsmasq_nameserver (self, servers, ip_addr_to_string_buf, ip_data->domains.reverse[j]); } The code expects 'reverse' to never be NULL but it was: (gdb) print ip_data $2 = (const NMDnsIPConfigData *) 0x7f9804013590 (gdb) print ip_data->domains $3 = {search = 0x560fe4e51120, reverse = 0x0} I sadly don't know how this can happen or under which cirumstances this happens.
Can you reliably reproduce the problem? The obvious fix for this is: @@ -180,16 +180,18 @@ add_ip_config (NMDnsDnsmasq *self, GVariantBuilder *servers, const NMDnsIPConfig add_dnsmasq_nameserver (self, servers, ip_addr_to_string_buf, domain[0] ? domain : NULL); } - for (j = 0; ip_data->domains.reverse[j]; j++) { - add_dnsmasq_nameserver (self, servers, - ip_addr_to_string_buf, - ip_data->domains.reverse[j]); + if (ip_data->domains.reverse) { + for (j = 0; ip_data->domains.reverse[j]; j++) { + add_dnsmasq_nameserver (self, servers, + ip_addr_to_string_buf, + ip_data->domains.reverse[j]); + } } } } but I wonder how reverse domains can be empty (i.e. the device has no IP address) when there is a nameserver. Maybe there is another bug elsewhere...
I sadly can't reproduce the issue but I'll ask my colleague who had this segfault to directly comment on this bug. Maybe he has more details. I was also wondering how this can happen and if this is something that shouldn't happen. Hence I didn't include a patch. ;-)
I can reproduce, but I don't have instructions for how to repro. I see from syslog that it only seems to crash with my home network and it seems to crash whenever I disconnect from my home network. Unfortunately I am unable to test/reproduce until ~mid September. My home network has two APs. - AP1 is a Fritz! Box connecting to my uplink and serves as DHCP server with static IP per MAC. Iirc, AP1 also has a cashing DNS server and adds the typical "fritz.box" and a few other names. - AP2 is some (tp-link?) AP, which serves as the wifi hotspot and also passes through ethernet connections to a 1G ethernet switch. AP2 is running OpenWRT. My laptop is connected via wifi directly with AP2. It is also connected to a thunderbolt3 docking station which has a 1G connection to AP2 through the ethernet switch. Most of the time, my laptop is connected both via wifi and ethernet and when unplugging from the dock (which seems to be correlated with the segfault), only the wired connection is disconnected. My network setup did not change since I upgraded to NM v1.12.0-5 and I did not see these crashes before when I was running NM v1.10.2-1, so I'm pretty sure this bug was introduced between these two versions. I can add my network.log from shortly before a crash: Aug 23 20:50:24 $HOSTNAME wpa_supplicant[1290]: nl80211: Ignore RTM_NEWLINK event for foreign ifindex 5 Aug 23 20:50:24 $HOSTNAME dhclient[89771]: receive_packet failed on enx0050b68b74e4: Network is down Aug 23 20:50:24 $HOSTNAME wpa_supplicant[1290]: nl80211: Ignore RTM_DELLINK event for foreign ifindex 5 Aug 23 20:50:24 $HOSTNAME NetworkManager[84922]: <info> [1535050224.6517] policy: set 'Auto $WIFI_SSID' ( wlp4s0) as default for IPv4 routing and DNS Aug 23 20:50:24 $HOSTNAME NetworkManager[84922]: <info> [1535050224.6519] device (enx0050b68b74e4): state change: activated -> unmanaged (reason 'removed', sys-iface-state: 'removed') Aug 23 20:50:24 $HOSTNAME NetworkManager[84922]: <info> [1535050224.6697] dhcp4 (enx0050b68b74e4): canceled DHCP transaction, DHCP client pid 89771 Aug 23 20:50:24 $HOSTNAME NetworkManager[84922]: <info> [1535050224.6698] dhcp4 (enx0050b68b74e4): state changed bound -> done Aug 23 20:50:24 $HOSTNAME NetworkManager[84922]: <info> [1535050224.6700] dhcp6 (enx0050b68b74e4): canceled DHCP transaction Aug 23 20:50:24 $HOSTNAME NetworkManager[113553]: <info> [1535050224.8528] NetworkManager (version 1.12.0) is starting... (after a restart) I've checked another instance of the crash and the log looks similar, so it probably is related to me unplugging the laptop and NM switching from ethernet as default to wifi as default connection. I see it crashes shortly after some canceled dhcp6 transaction. My network only has IPv6 locally, so I don't have global IPv6 addresses (the Fritz!Box doesn't support it sadly). Let me know if you need more information.
Created attachment 373639 [details] [review] [PATCH] dns: dnsmasq: avoid crash when no reverse domains exist
Created attachment 373640 [details] [review] [PATCH v2] dns: dnsmasq: avoid crash when no reverse domains exist (v2: added Fixes: tag to commit message)
(In reply to Beniamino Galvani from comment #5) > Created attachment 373640 [details] [review] [review] > [PATCH v2] dns: dnsmasq: avoid crash when no reverse domains exist > > (v2: added Fixes: tag to commit message) lgtm
Applied to master: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=f0c075f05082e4c77fac75ad06d303e7538e4fc7 and nm-1-14, nm-1-12 branches.
Thanks!
Thanks. :-)