On Tue, Sep 09, 2025 at 05:04:12PM +0200, Volker Diels-Grabsch wrote:
> This issue can be reproduced by running passt with TCP forwarding
> and connecting to that TCP port before the first client (e.g. QEMU)
> connects to the passt socket.  Example:
> 
>    (sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22
> 
> Although this commit likely doesn't fix the root cause of this issue,
> it does reliably fix the segfault.

Right, this band-aids the problem, but isn't the correct fix.

Getting a NULL pointer here indicates that we're putting a frame into
the queue without setting the corresponding tcp_frame_conns[] entry,
which is definitely wrong.

Thanks for the reproducer, I'm having a look into this now.

> ---
>  tcp_buf.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/tcp_buf.c b/tcp_buf.c
> index bc898de..1a06f15 100644
> --- a/tcp_buf.c
> +++ b/tcp_buf.c
> @@ -120,6 +120,9 @@ static void tcp_revert_seq(const struct ctx *c, struct tcp_tap_conn **conns,
>  		uint32_t seq = ntohl(th->seq);
>  		uint32_t peek_offset;
>  
> +		if (conn == NULL)
> +			continue;
> +
>  		if (SEQ_LE(conn->seq_to_tap, seq))
>  			continue;
>  
> -- 
> 2.47.3
> 

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson