From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202508 header.b=WxP6MBuP;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 5B3F15A0271
	for <passt-dev@passt.top>; Wed, 10 Sep 2025 04:12:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202508; t=1757470324;
	bh=g7kX5HYQnX3Vnvw19p5796oYLLDsOVTgV99cp36ILDo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=WxP6MBuPw94XmG06OJAWdVjl82ZVXE9PGfmaiY9rYz69aMiT9g1hrbg5wa43Nd1JF
	 4cbsfArysMcFuoVIx3m7WEwRfdNOaD5G2SKdyqRxUQFb0SyXCpO7WPfRHoOdXbVJL0
	 WrTHXlAFVYK8812WoWd9dEidVjLWn/8ebN1MeUasJkZz+/IzyrW+tIHY22sflTUcZJ
	 njrDyvBnzEB1vRTgmqF9bEaftDYicDNsODFUA0o++v733iKux1MA9DysHxOETwj2e6
	 hAjTWqYzNwjPLGBLuU335CV10C2jhSwzCtFizqU6NA32SkIJnLxByDPVyYbu7aDFOy
	 jYaICrmrd94cA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cM42D4MMtz4w9Y; Wed, 10 Sep 2025 12:12:04 +1000 (AEST)
Date: Wed, 10 Sep 2025 11:58:10 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Volker Diels-Grabsch <v@njh.eu>
Subject: Re: [PATCH] Fix segfault on TCP connection before first passt socket
 connection
Message-ID: <aMDbMrl8-gsDjj_M@zatzit>
References: <20250909150412.843578-1-v@njh.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="Ss/ms+z86fQxqgSq"
Content-Disposition: inline
In-Reply-To: <20250909150412.843578-1-v@njh.eu>
Message-ID-Hash: HKKM6QSDAVVPAXAVVNY3D2R4NZEPVKE5
X-Message-ID-Hash: HKKM6QSDAVVPAXAVVNY3D2R4NZEPVKE5
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aMDbMrl8-gsDjj_M@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HKKM6QSDAVVPAXAVVNY3D2R4NZEPVKE5/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--Ss/ms+z86fQxqgSq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 09, 2025 at 05:04:12PM +0200, Volker Diels-Grabsch wrote:
> This issue can be reproduced by running passt with TCP forwarding
> and connecting to that TCP port before the first client (e.g. QEMU)
> connects to the passt socket.  Example:
>=20
>    (sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22
>=20
> Although this commit likely doesn't fix the root cause of this issue,
> it does reliably fix the segfault.

Right, this band-aids the problem, but isn't the correct fix.

Getting a NULL pointer here indicates that we're putting a frame into
the queue without setting the corresponding tcp_frame_conns[] entry,
which is definitely wrong.

Thanks for the reproducer, I'm having a look into this now.

> ---
>  tcp_buf.c | 3 +++
>  1 file changed, 3 insertions(+)
>=20
> diff --git a/tcp_buf.c b/tcp_buf.c
> index bc898de..1a06f15 100644
> --- a/tcp_buf.c
> +++ b/tcp_buf.c
> @@ -120,6 +120,9 @@ static void tcp_revert_seq(const struct ctx *c, struc=
t tcp_tap_conn **conns,
>  		uint32_t seq =3D ntohl(th->seq);
>  		uint32_t peek_offset;
> =20
> +		if (conn =3D=3D NULL)
> +			continue;
> +
>  		if (SEQ_LE(conn->seq_to_tap, seq))
>  			continue;
> =20
> --=20
> 2.47.3
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--Ss/ms+z86fQxqgSq
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjA2zEACgkQzQJF27ox
2GdOCRAAlVnsq4EsnXBWT3pOVnx6V0NS9haIQN41QNgwOVmW7cUqEWc0UdJDvMBL
/P5enVKF7qJfJQ9V1KRdtpCUF489aHtk6jMcUPxP7OJjYVK7ptxJ871WoISTmPke
eU3HvqT9LzAPZdTMgQo7iCypyzGE29RJ4svWTToPuSXnHAAq6dTp+J6ZZwqluX6d
olGBUMdBOix0faC4MNYJ3ikzsG6RD6CpAPoDTv6bE1oFlHBzx2CM326HaSyEy6zT
KZrWTFBMmLWUrIwBMdAcLnJNcONVGAXLcdG2ESMVUGRX6W/Ve9IX2W7PXXTVxv4z
PGDv0kd8AqL35A6+nINfzqNuSBFsKNtTMVBuTAyKrE0LH9GMz/uMf0E/JpoWNxWn
z3PW4atKsVlgUyJd6TUbXmQ6g8RuyjMw5cJk0PdffZmkw9tuLu8xK+pX5ngmSCAV
12TmKNFmrT/dX17Q7XpnV4hDsXy6dQz696tb/iY043B7FW10PQK3R5Tz78CJbrgA
fbFsjJfT9iJKaL3dBcQfxfmR4FC+HFzHTfHv8Uh0J2ZQlTL0mu5Enc+KI1yyk7Pu
KqrSiahghh4F6D0g6K8mu+m/77PBBDdAzT0zioPdal19ifMAXeasxMB5BlLm/F8c
gb8JPX7/wsdajKFzKGS8mPYwhpsoZhAze2dgxvyZV8Pt82yCIbw=
=yhj4
-----END PGP SIGNATURE-----

--Ss/ms+z86fQxqgSq--