Re: [PATCH 1/1] conntrack: fix nfct_clone with certain attribute data types

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH 1/1] conntrack: fix nfct_clone with certain attribute data types
Date: Tue, 27 Nov 2012 22:15:23 +0100	[thread overview]
Message-ID: <20121127211523.GA5131@1984> (raw)
In-Reply-To: <1354030656-23507-1-git-send-email-fw@strlen.de>

On Tue, Nov 27, 2012 at 04:37:36PM +0100, Florian Westphal wrote:
> some attributes are pointers to malloc'd objects.  Simply copying the
> pointer results in use-after free when the original or the clone is
> destroyed.
> 
> Fix it by using nfct_copy instead of memcpy and add proper test case
> for cloned objects:
> - nfct_cmp of orig and clone should return 1 (equal)
> - freeing both the original and the clone should
>   neither leak memory nor result in double-frees.
> 
> the testsuite changes revealed a few more problems:
>  - ct1->timeout == ct2->timeout returned 0, ie. same timeout
>    was considered "not equal" by nfct_cmp
>  - secctx comparision causes "Invalid address" valgrind warnings
>    when pointer is NULL
>  - NFCT_CP_OVERRIDE did not handle helper attribute and
>    erronously freed ct1 secctx memory.
> 
> While at it, bump qa_test data dummy to 256 (else, valgrind
> complains about move-depends-on-uninitialized-memory).
> 
> Lastly, fix compilation of test_api by killing bogus ATTR_CONNLABEL.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>

This is great, thanks Florian.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

     prev parent reply	other threads:[~2012-11-27 21:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-27 15:37 [PATCH 1/1] conntrack: fix nfct_clone with certain attribute data types Florian Westphal
2012-11-27 21:15 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121127211523.GA5131@1984 \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.