Re: Null pointer dereference in nf_nat_move_storage(), kernel 2.6.23.1

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: Chuck Ebbert <cebbert@redhat.com>
Cc: netfilter-devel@vger.kernel.org,
	Patrick McHardy <kaber@trash.net>,
	Netdev <netdev@vger.kernel.org>
Subject: Re: Null pointer dereference in nf_nat_move_storage(), kernel 2.6.23.1
Date: Thu, 15 Nov 2007 15:06:59 +0300	[thread overview]
Message-ID: <20071115120658.GA17667@2ka.mipt.ru> (raw)
In-Reply-To: <473B83DB.5040303@redhat.com>

Hi Chuck.

On Wed, Nov 14, 2007 at 06:25:15PM -0500, Chuck Ebbert (cebbert@redhat.com) wrote:
> > https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14

> >  [<f8b61643>] __nf_ct_ext_add+0x12f/0x1c4 [nf_conntrack] 

> > nf_nat_move_storage():
> > /usr/src/debug/kernel-2.6.23/linux-2.6.23.i686/net/ipv4/netfilter/nf_nat_core.c:612
> >       87:       f7 47 64 80 01 00 00    testl  $0x180,0x64(%edi)
> >       8e:       74 39                   je     c9 <nf_nat_move_storage+0x65>
> > 
> > line 612:
> >         if (!(ct->status & IPS_NAT_DONE_MASK))
> >                 return;

Please test attached patch.

This routing is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.

Not tested, derived from code observation only.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index a1a65a1..cf6ba66 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);

-- 
	Evgeniy Polyakov

next prev parent reply	other threads:[~2007-11-15 12:06 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <473B3874.2020104@redhat.com>
2007-11-14 23:25 ` Null pointer dereference in nf_nat_move_storage(), kernel 2.6.23.1 Chuck Ebbert
2007-11-15 12:06   ` Evgeniy Polyakov [this message]
2007-11-15 23:55     ` David Miller
2007-11-16  0:00       ` Patrick McHardy
2007-11-16  0:02         ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a1a65a1 dfblob:cf6ba66 )
 OR (
bs:"Re: Null pointer dereference in nf_nat_move_storage(), kernel 2.6.23.1" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071115120658.GA17667@2ka.mipt.ru \
    --to=johnpol@2ka.mipt.ru \
    --cc=cebbert@redhat.com \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).