From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org, davem@davemloft.net
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [patch 03/60] NETFILTER: Fix NULL pointer dereference in nf_nat_move_storage()
Date: Wed, 12 Dec 2007 22:51:10 -0800 [thread overview]
Message-ID: <20071213065110.GD6867@kroah.com> (raw)
In-Reply-To: <20071213065039.GA6867@kroah.com>
[-- Attachment #1: netfilter-fix-null-pointer-dereference-in-nf_nat_move_storage.patch --]
[-- Type: text/plain, Size: 1684 bytes --]
2.6.23-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
[ Upstream commit: 7799652557d966e49512479f4d3b9079bbc01fff ]
Reported by Chuck Ebbert as:
https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14
This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.
Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
rcu_read_lock();
t = rcu_dereference(nf_ct_ext_types[i]);
if (t && t->move)
- t->move(ct, ct->ext + ct->ext->offset[id]);
+ t->move(ct, ct->ext + ct->ext->offset[i]);
rcu_read_unlock();
}
kfree(ct->ext);
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable
--
next prev parent reply other threads:[~2007-12-13 6:56 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20071213064518.328162328@mini.kroah.org>
2007-12-13 6:50 ` [patch 00/60] 2.6.23-stable review Greg KH
2007-12-13 6:50 ` [patch 01/60] libertas: properly account for queue commands Greg KH
2007-12-13 6:51 ` [patch 02/60] NET: random : secure_tcp_sequence_number should not assume CONFIG_KTIME_SCALAR Greg KH
2007-12-13 6:51 ` Greg KH [this message]
2007-12-13 6:51 ` [patch 04/60] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series Greg KH
2007-12-13 6:51 ` [patch 05/60] sched: some proc entries are missed in sched_domain sys_ctl debug code Greg KH
2007-12-13 6:51 ` [patch 06/60] PKT_SCHED: Check subqueue status before calling hard_start_xmit Greg KH
2007-12-13 6:51 ` [patch 07/60] Fix synchronize_irq races with IRQ handler Greg KH
2007-12-13 6:51 ` [patch 08/60] Input: ALPS - add support for model found in Dell Vostro 1400 Greg KH
2007-12-13 6:51 ` [patch 09/60] Input: ALPS - add signature for ThinkPad R61 Greg KH
2007-12-13 13:41 ` Dmitry Torokhov
2007-12-13 16:38 ` Greg KH
2007-12-13 6:51 ` [patch 10/60] USB: make the microtek driver and HAL cooperate Greg KH
2007-12-13 6:51 ` [patch 11/60] USB: fix up EHCI startup synchronization Greg KH
2007-12-13 6:51 ` [patch 12/60] tmpfs: restore missing clear_highpage Greg KH
2007-12-13 6:51 ` [patch 13/60] I4L: fix isdn_ioctl memory overrun vulnerability Greg KH
2007-12-13 6:51 ` [patch 14/60] forcedeth: new mcp79 pci ids Greg KH
2007-12-13 6:51 ` [patch 15/60] forcedeth boot delay fix Greg KH
2007-12-13 6:51 ` [patch 16/60] hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) Greg KH
2007-12-13 6:51 ` [patch 17/60] KVM: x86 emulator: implement movnti mem, reg Greg KH
2007-12-13 6:51 ` [patch 18/60] KVM: x86 emulator: fix access registers for instructions with ModR/M byte and Mod = 3 Greg KH
2007-12-13 6:51 ` [patch 19/60] KVM: x86 emulator: invd instruction Greg KH
2007-12-13 6:51 ` [patch 20/60] KVM: SVM: Intercept the invd and wbinvd instructions Greg KH
2007-12-13 6:52 ` [patch 21/60] KVM: x86 emulator: Use emulator_write_emulated and not emulator_write_std Greg KH
2007-12-13 6:52 ` [patch 22/60] KVM: Fix hang on uniprocessor Greg KH
2007-12-13 6:52 ` [patch 23/60] KVM: SVM: Fix FPU leak while emulating clts Greg KH
2007-12-13 6:52 ` [patch 24/60] KVM: Skip pio instruction when it is emulated, not executed Greg KH
2007-12-13 6:52 ` [patch 25/60] KVM: VMX: Force vm86 mode if setting flags during real mode Greg KH
2007-12-13 6:52 ` [patch 26/60] KVM: VMX: Reset mmu context when entering " Greg KH
2007-12-13 6:52 ` [patch 27/60] x86 setup: add a near jump to serialize %cr0 on 386/486 Greg KH
2007-12-13 6:52 ` [patch 28/60] isdn: avoid copying overly-long strings Greg KH
2007-12-13 6:52 ` [patch 29/60] futex: fix for futex_wait signal stack corruption Greg KH
2007-12-13 6:52 ` [patch 30/60] Freezer: Fix APM emulation breakage Greg KH
2007-12-13 6:52 ` [patch 31/60] PNP: increase the maximum number of resources Greg KH
2007-12-13 6:52 ` [patch 32/60] wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() Greg KH
2007-12-13 6:52 ` Greg KH
2007-12-13 6:52 ` [patch 33/60] fb_ddc: fix DDC lines quirk Greg KH
2007-12-13 6:52 ` [patch 34/60] revert "dpt_i2o: convert to SCSI hotplug model" Greg KH
2007-12-13 6:52 ` [patch 35/60] esp_scsi: fix reset cleanup spinlock recursion Greg KH
2007-12-13 6:52 ` [patch 36/60] nf_nat: fix memset error Greg KH
2007-12-13 6:52 ` [patch 37/60] netfilter: Fix kernel panic with REDIRECT target Greg KH
2007-12-13 6:52 ` [patch 38/60] create /sys/.../power when CONFIG_PM is set Greg KH
2007-12-13 6:52 ` [patch 39/60] NET: Corrects a bug in ip_rt_acct_read() Greg KH
2007-12-13 6:53 ` [patch 40/60] IPV4: Remove bogus ifdef mess in arp_process Greg KH
2007-12-13 6:53 ` [patch 41/60] ATM: initialize lock and tasklet earlier Greg KH
2007-12-13 6:53 ` [patch 42/60] TCP: Problem bug with sysctl_tcp_congestion_control function Greg KH
2007-12-13 6:53 ` [patch 43/60] CRYPTO api: Fix potential race in crypto_remove_spawn Greg KH
2007-12-13 6:53 ` [patch 44/60] TCP: Fix TCP header misalignment Greg KH
2007-12-13 6:53 ` [patch 45/60] TCP: MTUprobe: fix potential sk_send_head corruption Greg KH
2007-12-13 6:53 ` [patch 46/60] PFKEY: Sending an SADB_GET responds with an SADB_GET Greg KH
2007-12-13 6:53 ` [patch 47/60] BRIDGE: Lost call to br_fdb_fini() in br_init() error path Greg KH
2007-12-13 6:53 ` [patch 48/60] RXRPC: Add missing select on CRYPTO Greg KH
2007-12-13 6:53 ` [patch 49/60] TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure Greg KH
2007-12-13 6:53 ` [patch 50/60] VLAN: Fix nested VLAN transmit bug Greg KH
2007-12-13 6:53 ` [patch 51/60] DECNET: dn_nl_deladdr() almost always returns no error Greg KH
2007-12-13 6:53 ` [patch 52/60] IPV6: Restore IPv6 when MTU is big enough Greg KH
2007-12-13 6:53 ` [patch 53/60] TCP: illinois: Incorrect beta usage Greg KH
2007-12-13 6:53 ` [patch 54/60] UNIX: EOF on non-blocking SOCK_SEQPACKET Greg KH
2007-12-13 6:53 ` [patch 55/60] NETFILTER: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK Greg KH
2007-12-13 6:53 ` [patch 56/60] libata: kill spurious NCQ completion detection Greg KH
2007-12-13 6:53 ` [patch 57/60] XFRM: Fix leak of expired xfrm_states Greg KH
2007-12-13 6:53 ` [patch 58/60] NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON Greg KH
2007-12-13 6:53 ` [patch 59/60] BRIDGE: Properly dereference the br_should_route_hook Greg KH
2007-12-13 6:53 ` [patch 60/60] XFS: Make xfsbufd threads freezable Greg KH
2007-12-13 7:02 ` [patch 00/60] 2.6.23-stable review Greg KH
2007-12-15 16:09 ` Jan Evert van Grootheest
2007-12-15 18:08 ` Greg KH
2007-12-27 10:11 ` Jan Evert van Grootheest
2007-12-27 18:25 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071213065110.GD6867@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jmforbes@linuxtx.org \
--cc=johnpol@2ka.mipt.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox