Re: Netfilter: kernel panic with REDIRECT target. (2.6.23 and 2.6.23.8)

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: David <david@unsolicited.net>
Cc: "Ismail Dönmez" <ismail@pardus.org.tr>, netdev@vger.kernel.org
Subject: Re: Netfilter: kernel panic with REDIRECT target. (2.6.23 and 2.6.23.8)
Date: Sun, 18 Nov 2007 20:54:11 +0100	[thread overview]
Message-ID: <47409863.8000902@trash.net> (raw)
In-Reply-To: <474093E0.3090007@unsolicited.net>

[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

David wrote:
> Ismail Dönmez wrote:
>   
>> Sunday 18 November 2007 Tarihinde 21:00:12 yazmıştı:
>>   
>>     
>>> I'm (very) far from being firewall configuration expert, but I'm seeing
>>> a consistent kernel panic when the following rule is triggered.
>>>
>>>     iptables -t nat -A PREROUTING -j REDIRECT -i eth2 -p udp --dport
>>> 5061 --to-ports 5060
>>>
>>> (I'm trying to redirect an alternate port to a SIP server)
>>>
>>> Am I just being very stupid, or is there something I'm not seeing here?
>>>     
>>>       
>> Also post the kernel panic log.
>>   
>>     
> This is a bit difficult since the server is headless (normally). I can
> try to obtain the panic via a temporary console, but it may have to wait
> for a day or two.
>   

Please try if this patch fixes the problem.

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1545 bytes --]

[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()

Reported by Chuck Ebbert as:

	https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14

This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
commit 7799652557d966e49512479f4d3b9079bbc01fff
tree c0895084e075bf53697a66816e6bfcbe28d3859d
parent a5a97263a9fd6a94f954d41ae3233ea65a90bd8a
author Evgeniy Polyakov <johnpol@2ka.mipt.ru> Thu, 15 Nov 2007 15:52:32 -0800
committer David S. Miller <davem@davemloft.net> Thu, 15 Nov 2007 15:52:32 -0800

 net/netfilter/nf_conntrack_extend.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index a1a65a1..cf6ba66 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);

next prev parent reply	other threads:[~2007-11-18 19:54 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-18 19:00 Netfilter: kernel panic with REDIRECT target. (2.6.23 and 2.6.23.8) David
2007-11-18 19:31 ` Ismail Dönmez
2007-11-18 19:34   ` David
2007-11-18 19:54     ` Patrick McHardy [this message]
2007-11-19 18:51       ` David
2007-11-19 19:24         ` Evgeniy Polyakov
2007-11-19 19:31           ` Evgeniy Polyakov
2007-11-19 19:59             ` David
2007-11-20 11:55               ` Evgeniy Polyakov
2007-11-20 12:09                 ` David Miller
2007-11-20 12:11                 ` Patrick McHardy
2007-11-20 12:24                   ` Patrick McHardy
2007-11-20 12:27                     ` David Miller
2007-11-20 13:22                     ` Evgeniy Polyakov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a1a65a1 dfblob:cf6ba66 )
 OR (
bs:"Re: Netfilter: kernel panic with REDIRECT target. (2.6.23 and 2.6.23.8)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47409863.8000902@trash.net \
    --to=kaber@trash.net \
    --cc=david@unsolicited.net \
    --cc=ismail@pardus.org.tr \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).