From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, fw@strlen.de, phil@nwl.cc,
alin.nastac@gmail.com, yuantan098@gmail.com, yifanwucs@gmail.com,
tomapufckgml@gmail.com, bird@lzu.edu.cn,
chzhengyang2023@lzu.edu.cn
Subject: Re: [PATCH nf 1/1] netfilter: nf_conntrack_sip: guard against missing skb dst
Date: Fri, 26 Jun 2026 12:47:28 +0200 [thread overview]
Message-ID: <aj5YwOF4Kc71OTdf@chamomile> (raw)
In-Reply-To: <47e6e0bdba06326388cd7778403326ff78faf8f0.1782349677.git.chzhengyang2023@lzu.edu.cn>
On Fri, Jun 26, 2026 at 02:49:37PM +0800, Ren Wei wrote:
> From: Zhengyang Chen <chzhengyang2023@lzu.edu.cn>
>
> set_expected_rtp_rtcp() dereferences skb_dst(skb)->dev when
> sip_external_media is enabled. The SIP helper can run from tc ingress
> before routing has attached a dst to the skb, so skb_dst(skb) can be
> NULL and the helper crashes while parsing SDP media expectations.
If SIP helper can run from tc ingress, then this has not ever worked?
Else tc needs to be fixed to set a router to skb before calling the
helper.
I don't think this fix belong here.
> Handle a missing skb dst by skipping the same-interface external-media
> optimization. Still release the routed media dst when one was obtained,
> and keep the existing expectation setup path unchanged.
>
> Fixes: a3419ce3356c ("netfilter: nf_conntrack_sip: add sip_external_media logic")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:gpt-5.4
> Signed-off-by: Zhengyang Chen <chzhengyang2023@lzu.edu.cn>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
>
> ---
> net/netfilter/nf_conntrack_sip.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
> index 5ec3a4a4bbd7..302dc60c5381 100644
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -956,7 +956,8 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
> return NF_ACCEPT;
> saddr = &ct->tuplehash[!dir].tuple.src.u3;
> } else if (sip_external_media) {
> - struct net_device *dev = skb_dst(skb)->dev;
> + struct dst_entry *skbdst = skb_dst(skb);
> + struct net_device *dev = skbdst ? skbdst->dev : NULL;
> struct dst_entry *dst = NULL;
> struct flowi fl;
>
> @@ -977,12 +978,14 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
> /* Don't predict any conntracks when media endpoint is reachable
> * through the same interface as the signalling peer.
> */
> - if (dst) {
> + if (dst && dev) {
> bool external_media = (dst->dev == dev);
>
> dst_release(dst);
> if (external_media)
> return NF_ACCEPT;
> + } else if (dst) {
> + dst_release(dst);
> }
> }
>
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-06-26 10:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1782349677.git.chzhengyang2023@lzu.edu.cn>
2026-06-26 6:49 ` [PATCH nf 1/1] netfilter: nf_conntrack_sip: guard against missing skb dst Ren Wei
2026-06-26 10:47 ` Pablo Neira Ayuso [this message]
2026-06-26 11:35 ` Pablo Neira Ayuso
2026-06-27 3:37 ` 陈正阳
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aj5YwOF4Kc71OTdf@chamomile \
--to=pablo@netfilter.org \
--cc=alin.nastac@gmail.com \
--cc=bird@lzu.edu.cn \
--cc=chzhengyang2023@lzu.edu.cn \
--cc=fw@strlen.de \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.