On Tue, Sep 09, 2025 at 05:04:12PM +0200, Volker Diels-Grabsch wrote:

This issue can be reproduced by running passt with TCP forwarding and connecting to that TCP port before the first client (e.g. QEMU) connects to the passt socket. Example:

(sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22

Although this commit likely doesn't fix the root cause of this issue, it does reliably fix the segfault.

Right, this band-aids the problem, but isn't the correct fix. Getting a NULL pointer here indicates that we're putting a frame into the queue without setting the corresponding tcp_frame_conns[] entry, which is definitely wrong. Thanks for the reproducer, I'm having a look into this now.

--- tcp_buf.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/tcp_buf.c b/tcp_buf.c index bc898de..1a06f15 100644 --- a/tcp_buf.c +++ b/tcp_buf.c @@ -120,6 +120,9 @@ static void tcp_revert_seq(const struct ctx *c, struct tcp_tap_conn **conns, uint32_t seq = ntohl(th->seq); uint32_t peek_offset;

+ if (conn == NULL) + continue; + if (SEQ_LE(conn->seq_to_tap, seq)) continue;

-- 2.47.3

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson