core: fix again l3cd comparison

When only one of the two default routes is set, a NULL pointer is dereferenced: Thread 1 "NetworkManager" received signal SIGSEGV, Segmentation fault. nm_l3_config_data_cmp_full (a=a@entry=0x4e2bde0, b=0x4e87330, flags=flags@entry=40) at ../src/core/nm-l3-config-data.c:2622 2622 NMPlatformIP4Route ra = def_route_a->ip4_route; (gdb) bt 0 nm_l3_config_data_cmp_full (a=a@entry=0x4e2bde0, b=0x4e87330, flags=flags@entry=40) at ../src/core/nm-l3-config-data.c:2622 1 in nm_dns_manager_set_ip_config (self=0x4db7520, addr_family=2, source_tag=0x4eb80a0, l3cd=0x4e2bde0, ip_config_type=NM_DNS_IP_CONFIG_TYPE_DEFAULT, replace_all=1) at ../src/core/dns/nm-dns-manager.c:2109 2 in nm_dns_manager_set_ip_config (self=0x4db7520, addr_family=addr_family@entry=0, source_tag=source_tag@entry=0x4eb80a0, l3cd=l3cd@entry=0x4e2bde0, ip_config_type=NM_DNS_IP_CONFIG_TYPE_DEFAULT, replace_all=replace_all@entry=1) at ../src/core/dns/nm-dns-manager.c:2059 3 in device_l3cd_changed (device=0x4eb80a0, l3cd_old=0x4e87330, l3cd_new=0x4e2bde0, user_data=0x4da4548) at ../src/core/nm-policy.c:2518 4 in ffi_call_unix64 () from target:/lib64/libffi.so.8 5 in ffi_call_int.lto_priv () from target:/lib64/libffi.so.8 6 in ffi_call () from target:/lib64/libffi.so.8 7 in g_cclosure_marshal_generic_va () from target:/lib64/libgobject-2.0.so.0 8 in signal_emit_valist_unlocked () from target:/lib64/libgobject-2.0.so.0 9 in g_signal_emit_valist () from target:/lib64/libgobject-2.0.so.0 10 in g_signal_emit () from target:/lib64/libgobject-2.0.so.0 11 in _dev_l3_cfg_notify_cb (l3cfg=0x4e2af20, notify_data=0x7ffd2176dfb0, self=0x4eb80a0) at ../src/core/devices/nm-device.c:4997 If flag NM_L3_CONFIG_CMP_FLAGS_ROUTES is set, let nmp_object_cmp_full() compare the two routes and deal with NULL values. If flag NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID is set, check that both objects are not NULL before accessing them. The crash is only seen when the routes are equal (according to _dedup_multi_index_cmp(), which compares the network, metric and plen), and only one l3cd has a default route. Only routes in the main table qualify as default routes. Fixes: 0a02995175 ('core: fix l3cd comparison') https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1902
2026-05-11 09:18:38 +02:00 · 2026-03-03 10:29:31 +01:00 · 2026-03-03 10:29:31 +01:00 · 6493124403
commit 6493124403
parent a924826e2c
2 changed files with 58 additions and 9 deletions
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@ -2604,15 +2604,15 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
        const NMPObject *def_route_a = a->best_default_route_x[IS_IPv4];
        const NMPObject *def_route_b = b->best_default_route_x[IS_IPv4];

-        if (def_route_a != def_route_b) {
-            if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
-                NM_CMP_RETURN(
-                    nmp_object_cmp_full(def_route_a,
-                                        def_route_b,
-                                        NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
-                                            ? NMP_OBJECT_CMP_FLAGS_NONE
-                                            : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
-            } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
+        if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
+            NM_CMP_RETURN(nmp_object_cmp_full(def_route_a,
+                                              def_route_b,
+                                              NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
+                                                  ? NMP_OBJECT_CMP_FLAGS_NONE
+                                                  : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
+        } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
+            NM_CMP_DIRECT(!!def_route_a, !!def_route_b);
+            if (def_route_a && def_route_b) {
                if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
                    NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
                                  def_route_b->obj_with_ifindex.ifindex);
--- a/src/core/tests/test-core.c
+++ b/src/core/tests/test-core.c
@ -20,6 +20,7 @@
 #include "dns/nm-dns-manager.h"
 #include "nm-connectivity.h"
 #include "nm-firewall-utils.h"
+#include "nm-l3-config-data.h"

 #include "nm-test-utils-core.h"

@ -2823,6 +2824,51 @@ test_icmp6_checksum(void)

 /*****************************************************************************/

+static void
+test_l3_config_data_cmp_default_routes(void)
+{
+    nm_auto_unref_dedup_multi_index NMDedupMultiIndex *multi_idx = nm_dedup_multi_index_new();
+    nm_auto_unref_l3cd_init NML3ConfigData            *a         = NULL;
+    nm_auto_unref_l3cd_init NML3ConfigData            *b         = NULL;
+    const int                                          IFINDEX   = 1;
+
+    a = nm_l3_config_data_new(multi_idx, IFINDEX, NM_IP_CONFIG_SOURCE_USER);
+    nm_l3_config_data_add_route_4(
+        a,
+        NM_PLATFORM_IP4_ROUTE_INIT(.ifindex = IFINDEX,
+                                   .network = 0,
+                                   .plen    = 0,
+                                   .gateway = nmtst_inet4_from_string("192.168.1.1"),
+                                   .metric  = 100));
+
+    b = nm_l3_config_data_new(multi_idx, IFINDEX, NM_IP_CONFIG_SOURCE_USER);
+    nm_l3_config_data_add_route_4(
+        b,
+        NM_PLATFORM_IP4_ROUTE_INIT(.ifindex       = IFINDEX,
+                                   .network       = 0,
+                                   .plen          = 0,
+                                   .gateway       = nmtst_inet4_from_string("192.168.1.1"),
+                                   .metric        = 100,
+                                   .table_coerced = nm_platform_route_table_coerce(100)));
+
+    nm_l3_config_data_seal(a);
+    nm_l3_config_data_seal(b);
+
+    g_assert(nm_l3_config_data_get_best_default_route(a, AF_INET));
+    g_assert(!nm_l3_config_data_get_best_default_route(b, AF_INET));
+
+    g_assert_cmpint(nm_l3_config_data_cmp_full(a, b, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID), !=, 0);
+    g_assert_cmpint(nm_l3_config_data_cmp_full(b, a, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID), !=, 0);
+
+    g_assert_cmpint(nm_l3_config_data_cmp_full(b, a, NM_L3_CONFIG_CMP_FLAGS_ADDRESSES), ==, 0);
+    g_assert_cmpint(nm_l3_config_data_cmp_full(b, a, NM_L3_CONFIG_CMP_FLAGS_ADDRESSES), ==, 0);
+
+    g_assert_cmpint(nm_l3_config_data_cmp_full(a, a, NM_L3_CONFIG_CMP_FLAGS_ALL), ==, 0);
+    g_assert_cmpint(nm_l3_config_data_cmp_full(b, b, NM_L3_CONFIG_CMP_FLAGS_ALL), ==, 0);
+}
+
+/*****************************************************************************/
+
 NMTST_DEFINE();

 int
@ -2901,5 +2947,8 @@ main(int argc, char **argv)

    g_test_add_func("/core/general/test_icmp6_checksum", test_icmp6_checksum);

+    g_test_add_func("/core/general/test_l3_config_data_cmp_default_routes",
+                    test_l3_config_data_cmp_default_routes);
+
    return g_test_run();
 }