| commit | c5f95710c2e70dc84ecdbca786ac83415f24dc79 | |
| author | Patrick McHardy <kaber@trash.net> | |
| Wed, 16 May 2007 16:56:11 +0000 (16 18:56 +0200) | ||
| committer | Chris Wright <chrisw@sous-sol.org> | |
| Wed, 23 May 2007 21:32:54 +0000 (23 14:32 -0700) | ||
| tree | dabc19456372249b4387f8ffe14294f86fac85fc | treesnapshot (tar.gz zip) |
| parent | 7fe23b5d8557c09a01d5a089878f25d52b5f1c05 | commitdiff |
[PATCH] NETFILTER: {ip,nf}_conntrack: fix use-after-free in helper destroy callback invocation
When the helper module is removed for a master connection that has a
fulfilled expectation, but has already timed out and got removed from
the hash tables, nf_conntrack_helper_unregister can't find the master
connection to unset the helper, causing a use-after-free when the
expected connection is destroyed and releases the last reference to
the master.
The helper destroy callback was introduced for the PPtP helper to clean
up expectations and expected connections when the master connection
times out, but doing this from destroy_conntrack only works for
unfulfilled expectations since expected connections hold a reference
to the master, preventing its destruction. Move the destroy callback to
the timeout function, which fixes both problems.
Reported/tested by Gabor Burjan <buga@buvoshetes.hu>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
When the helper module is removed for a master connection that has a
fulfilled expectation, but has already timed out and got removed from
the hash tables, nf_conntrack_helper_unregister can't find the master
connection to unset the helper, causing a use-after-free when the
expected connection is destroyed and releases the last reference to
the master.
The helper destroy callback was introduced for the PPtP helper to clean
up expectations and expected connections when the master connection
times out, but doing this from destroy_conntrack only works for
unfulfilled expectations since expected connections hold a reference
to the master, preventing its destruction. Move the destroy callback to
the timeout function, which fixes both problems.
Reported/tested by Gabor Burjan <buga@buvoshetes.hu>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
| net/ipv4/netfilter/ip_conntrack_core.c | diffblobblamehistory | |
| net/netfilter/nf_conntrack_core.c | diffblobblamehistory |