[PATCH]: fix potential use after free in destroy_conntrack

[PATCH]: fix potential use after free in destroy_conntrack

[Patrick McHardy]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 251 bytes --]

Hi Harald,
i missed this in my last patch (remove ct->master double check),
the reference to the master conntrack should not be dropped
until the expectation has deleted itself from the list.
This makes the last patch obsolete.

Best regards,
Patrick

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1074 bytes --]

===== net/ipv4/netfilter/ip_conntrack_core.c 1.21 vs edited =====
--- 1.21/net/ipv4/netfilter/ip_conntrack_core.c	Fri Jun 20 05:37:56 2003
+++ edited/net/ipv4/netfilter/ip_conntrack_core.c	Fri Jun 20 12:33:23 2003
@@ -313,9 +313,6 @@
 	IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
 	IP_NF_ASSERT(!timer_pending(&ct->timeout));
 
-	if (ct->master && master_ct(ct))
-		ip_conntrack_put(master_ct(ct));
-
 	/* To make sure we don't get any weird locking issues here:
 	 * destroy_conntrack() MUST NOT be called with a write lock
 	 * to ip_conntrack_lock!!! -HW */
@@ -332,9 +329,12 @@
 
 	/* Delete our master expectation */
 	if (ct->master) {
-		/* can't call __unexpect_related here,
-		 * since it would screw up expect_list */
-		list_del(&ct->master->expected_list);
+		if (ct->master->expectant) {
+			/* can't call __unexpect_related here,
+			 * since it would screw up expect_list */
+			list_del(&ct->master->expected_list);
+			ip_conntrack_put(ct->master->expectant);
+		}
 		kfree(ct->master);
 	}
 	WRITE_UNLOCK(&ip_conntrack_lock);

Re: [PATCH]: fix potential use after free in destroy_conntrack

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]

On Fri, Jun 20, 2003 at 12:44:14PM +0200, Patrick McHardy wrote:
> Hi Harald,

btw: harald.welte@gnumonks.org is not a valid email address.

> i missed this in my last patch (remove ct->master double check),
> the reference to the master conntrack should not be dropped
> until the expectation has deleted itself from the list.
> This makes the last patch obsolete.

argh.  I should have read the mailinglist before sending patches to davem.

Will submit an incremental patch to davem before this ends up in the
2.4.22-pre series.

> Best regards,
> Patrick

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH]: fix potential use after free in destroy_conntrack

[Patrick McHardy]

Harald Welte wrote:

>btw: harald.welte@gnumonks.org is not a valid email address.
>  
>

good to know, i usually rely on mozilla auto-completion, i have
no idea where it picked it up ;)

Bye
Patrick