* [NETFILTER 00/04]: Netfilter fixes
@ 2006-11-27 18:20 Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 01/04]: nfctnetlink: assign helper to newly created conntrack Patrick McHardy
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Patrick McHardy @ 2006-11-27 18:20 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
Hi Dave,
following are a few small netfilter fixes for 2.6.19, fixing multiple
refcount leaks and a nf_conntrack helper assignment race which can
lead to use-after-free.
Please apply, thanks.
net/ipv4/netfilter/ip_conntrack_core.c | 6 +++---
net/ipv4/netfilter/ip_conntrack_netlink.c | 1 +
net/netfilter/nf_conntrack_core.c | 19 +++++++++----------
net/netfilter/nf_conntrack_netlink.c | 9 +++++++++
4 files changed, 22 insertions(+), 13 deletions(-)
Patrick McHardy:
[NETFILTER]: ctnetlink: fix reference count leak
Yasuyuki Kozakai:
[NETFILTER]: nfctnetlink: assign helper to newly created conntrack
[NETFILTER]: nf_conntrack: fix the race on assign helper to new conntrack
[NETFILTER]: conntrack: fix refcount leak when finding expectation
^ permalink raw reply [flat|nested] 6+ messages in thread
* [NETFILTER 01/04]: nfctnetlink: assign helper to newly created conntrack
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
@ 2006-11-27 18:20 ` Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 02/04]: nf_conntrack: fix the race on assign helper to new conntrack Patrick McHardy
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2006-11-27 18:20 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: nfctnetlink: assign helper to newly created conntrack
This fixes the bug which doesn't assign helper to newly created
conntrack via nf_conntrack_netlink.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit cbf15ed58d4934fe480fc1760a5ea71d35eafcf7
tree ce0afad3be2d1944b321c5e135f3cee84281f29e
parent a07a4f6c88cef7a5cbe0950229913dd087434f88
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Mon, 27 Nov 2006 18:56:24 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 27 Nov 2006 19:10:44 +0100
net/netfilter/nf_conntrack_netlink.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bd0156a..77a46ee 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -949,6 +949,7 @@ ctnetlink_create_conntrack(struct nfattr
{
struct nf_conn *ct;
int err = -EINVAL;
+ struct nf_conn_help *help;
ct = nf_conntrack_alloc(otuple, rtuple);
if (ct == NULL || IS_ERR(ct))
@@ -976,9 +977,16 @@ #if defined(CONFIG_NF_CONNTRACK_MARK)
ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
#endif
+ help = nfct_help(ct);
+ if (help)
+ help->helper = nf_ct_helper_find_get(rtuple);
+
add_timer(&ct->timeout);
nf_conntrack_hash_insert(ct);
+ if (help && help->helper)
+ nf_ct_helper_put(help->helper);
+
return 0;
err:
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [NETFILTER 02/04]: nf_conntrack: fix the race on assign helper to new conntrack
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 01/04]: nfctnetlink: assign helper to newly created conntrack Patrick McHardy
@ 2006-11-27 18:20 ` Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 03/04]: ctnetlink: fix reference count leak Patrick McHardy
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2006-11-27 18:20 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: nf_conntrack: fix the race on assign helper to new conntrack
The found helper cannot be assigned to conntrack after unlocking
nf_conntrack_lock. This tries to find helper to assign again.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit a88ad2f562c2c108f76adfda4d5ee954e09e6d98
tree c0b7259465e28021e6c7a2c3892e742876f45bbf
parent cbf15ed58d4934fe480fc1760a5ea71d35eafcf7
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Mon, 27 Nov 2006 18:56:25 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 27 Nov 2006 19:10:44 +0100
net/netfilter/nf_conntrack_core.c | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 836541e..0f58307 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -893,12 +893,6 @@ __nf_conntrack_alloc(const struct nf_con
memset(conntrack, 0, nf_ct_cache[features].size);
conntrack->features = features;
- if (helper) {
- struct nf_conn_help *help = nfct_help(conntrack);
- NF_CT_ASSERT(help);
- help->helper = helper;
- }
-
atomic_set(&conntrack->ct_general.use, 1);
conntrack->ct_general.destroy = destroy_conntrack;
conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
@@ -982,8 +976,13 @@ #ifdef CONFIG_NF_CONNTRACK_SECMARK
#endif
nf_conntrack_get(&conntrack->master->ct_general);
NF_CT_STAT_INC(expect_new);
- } else
+ } else {
+ struct nf_conn_help *help = nfct_help(conntrack);
+
+ if (help)
+ help->helper = __nf_ct_helper_find(&repl_tuple);
NF_CT_STAT_INC(new);
+ }
/* Overload tuple linked list to put us in unconfirmed list. */
list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [NETFILTER 03/04]: ctnetlink: fix reference count leak
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 01/04]: nfctnetlink: assign helper to newly created conntrack Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 02/04]: nf_conntrack: fix the race on assign helper to new conntrack Patrick McHardy
@ 2006-11-27 18:20 ` Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 04/04]: conntrack: fix refcount leak when finding expectation Patrick McHardy
2006-11-27 18:27 ` [NETFILTER 00/04]: Netfilter fixes David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2006-11-27 18:20 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: ctnetlink: fix reference count leak
When NFA_NEST exceeds the skb size the protocol reference is leaked.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 7d79b94fc3d91498b8f2ff655839ad84d3390b13
tree 696fa16de7c8051fee047121a9747301c65b94f5
parent a88ad2f562c2c108f76adfda4d5ee954e09e6d98
author Patrick McHardy <kaber@trash.net> Mon, 27 Nov 2006 18:56:26 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 27 Nov 2006 19:10:45 +0100
net/ipv4/netfilter/ip_conntrack_netlink.c | 1 +
net/netfilter/nf_conntrack_netlink.c | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 262d0d4..55f0ae6 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -153,6 +153,7 @@ ctnetlink_dump_protoinfo(struct sk_buff
return ret;
nfattr_failure:
+ ip_conntrack_proto_put(proto);
return -1;
}
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 77a46ee..ab67c2b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -161,6 +161,7 @@ ctnetlink_dump_protoinfo(struct sk_buff
return ret;
nfattr_failure:
+ nf_ct_proto_put(proto);
return -1;
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [NETFILTER 04/04]: conntrack: fix refcount leak when finding expectation
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
` (2 preceding siblings ...)
2006-11-27 18:20 ` [NETFILTER 03/04]: ctnetlink: fix reference count leak Patrick McHardy
@ 2006-11-27 18:20 ` Patrick McHardy
2006-11-27 18:27 ` [NETFILTER 00/04]: Netfilter fixes David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2006-11-27 18:20 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: conntrack: fix refcount leak when finding expectation
All users of __{ip,nf}_conntrack_expect_find() don't expect that
it increments the reference count of expectation.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit a9c71b046b2ba5ced529e0cf53a061c02b2bbf4b
tree f0d31367b29c1ebccdd3aaa35771a2f5adfcae11
parent 7d79b94fc3d91498b8f2ff655839ad84d3390b13
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Mon, 27 Nov 2006 18:56:27 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 27 Nov 2006 19:10:45 +0100
net/ipv4/netfilter/ip_conntrack_core.c | 6 +++---
net/netfilter/nf_conntrack_core.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 143c466..8b848aa 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -225,10 +225,8 @@ __ip_conntrack_expect_find(const struct
struct ip_conntrack_expect *i;
list_for_each_entry(i, &ip_conntrack_expect_list, list) {
- if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
- atomic_inc(&i->use);
+ if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
return i;
- }
}
return NULL;
}
@@ -241,6 +239,8 @@ ip_conntrack_expect_find(const struct ip
read_lock_bh(&ip_conntrack_lock);
i = __ip_conntrack_expect_find(tuple);
+ if (i)
+ atomic_inc(&i->use);
read_unlock_bh(&ip_conntrack_lock);
return i;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0f58307..de0567b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -469,10 +469,8 @@ __nf_conntrack_expect_find(const struct
struct nf_conntrack_expect *i;
list_for_each_entry(i, &nf_conntrack_expect_list, list) {
- if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
- atomic_inc(&i->use);
+ if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
return i;
- }
}
return NULL;
}
@@ -485,6 +483,8 @@ nf_conntrack_expect_find(const struct nf
read_lock_bh(&nf_conntrack_lock);
i = __nf_conntrack_expect_find(tuple);
+ if (i)
+ atomic_inc(&i->use);
read_unlock_bh(&nf_conntrack_lock);
return i;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [NETFILTER 00/04]: Netfilter fixes
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
` (3 preceding siblings ...)
2006-11-27 18:20 ` [NETFILTER 04/04]: conntrack: fix refcount leak when finding expectation Patrick McHardy
@ 2006-11-27 18:27 ` David Miller
4 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2006-11-27 18:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Patrick McHardy <kaber@trash.net>
Date: Mon, 27 Nov 2006 19:20:53 +0100 (MET)
> following are a few small netfilter fixes for 2.6.19, fixing multiple
> refcount leaks and a nf_conntrack helper assignment race which can
> lead to use-after-free.
>
> Please apply, thanks.
Applied, thanks a lot Patrick.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-11-27 18:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-27 18:20 [NETFILTER 00/04]: Netfilter fixes Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 01/04]: nfctnetlink: assign helper to newly created conntrack Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 02/04]: nf_conntrack: fix the race on assign helper to new conntrack Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 03/04]: ctnetlink: fix reference count leak Patrick McHardy
2006-11-27 18:20 ` [NETFILTER 04/04]: conntrack: fix refcount leak when finding expectation Patrick McHardy
2006-11-27 18:27 ` [NETFILTER 00/04]: Netfilter fixes David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.