[PATCH, RFC] possible use of freed skbuff in netfilter.c

[PATCH, RFC] possible use of freed skbuff in netfilter.c

[Bart De Schuymer]

Hello Dave,

When dev_put'ing bridge devices in netfilter.c::reinject the skb can already 
be freed. The patch below fixes this by delaying the freeing of the skb a 
bit. AFAIK, calling kfree_skb outside the read_lock causes no problems.
Could someone of the netfilter core team approve or disapprove this change?
This is bug 86 of the netfilter bugtracking system.

cheers,
Bart

--- linux-2.5.68/net/core/netfilter.c.old	Fri Apr 25 19:23:35 2003
+++ linux-2.5.68/net/core/netfilter.c	Fri Apr 25 19:24:47 2003
@@ -559,10 +559,6 @@
 		nf_queue(skb, elem, info->pf, info->hook, 
 			 info->indev, info->outdev, info->okfn);
 		break;
-
-	case NF_DROP:
-		kfree_skb(skb);
-		break;
 	}
 	br_read_unlock_bh(BR_NETPROTO_LOCK);
 
@@ -578,6 +574,10 @@
 	}
 #endif
 
+
+	if (verdict == NF_DROP)
+		kfree_skb(skb);
+
 	kfree(info);
 	return;
 }

Re: [PATCH, RFC] possible use of freed skbuff in netfilter.c

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

On Fri, Apr 25, 2003 at 07:57:17PM +0200, Bart De Schuymer wrote:
> Hello Dave,
> 
> When dev_put'ing bridge devices in netfilter.c::reinject the skb can already 
> be freed. The patch below fixes this by delaying the freeing of the skb a 
> bit. AFAIK, calling kfree_skb outside the read_lock causes no problems.
> Could someone of the netfilter core team approve or disapprove this change?
> This is bug 86 of the netfilter bugtracking system.

I'm fine with this fix, please apply (if it isn't already).

> cheers,
> Bart

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [PATCH, RFC] possible use of freed skbuff in netfilter.c

[David S. Miller]

   From: Harald Welte <laforge@netfilter.org>
   Date: Tue, 29 Apr 2003 16:51:29 +0200

   I'm fine with this fix, please apply (if it isn't already).

Applied.  Should we be putting this fix into 2.4.x as well?

Re: [PATCH, RFC] possible use of freed skbuff in netfilter.c

[Bart De Schuymer]

On Wednesday 30 April 2003 08:54, David S. Miller wrote:
>    I'm fine with this fix, please apply (if it isn't already).
>
> Applied.  Should we be putting this fix into 2.4.x as well?

No, this is only related to 2.5.

-- 
cheers,
Bart

Re: [PATCH, RFC] possible use of freed skbuff in netfilter.c

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 782 bytes --]

On Tue, Apr 29, 2003 at 11:54:44PM -0700, David S. Miller wrote:
>    From: Harald Welte <laforge@netfilter.org>
>    Date: Tue, 29 Apr 2003 16:51:29 +0200
> 
>    I'm fine with this fix, please apply (if it isn't already).
> 
> Applied.  Should we be putting this fix into 2.4.x as well?

Since 2.4.x doesn't have the physindev/physoutdev, the bug is not
present in 2.4.x - and thus no fix needed.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]