[patch 03/60] NETFILTER: Fix NULL pointer dereference in nf_nat_move_storage()

2.6.23-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: Evgeniy Polyakov <[email protected]>

[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()

[ Upstream commit: 7799652557d966e49512479f4d3b9079bbc01fff ]

Reported by Chuck Ebbert as:

	https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14

This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.

Signed-off-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Cc: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

-- 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [patch 00/60] 2.6.23-stable review
    • From: Greg KH <[email protected]>

• Prev by Date: [patch 02/60] NET: random : secure_tcp_sequence_number should not assume CONFIG_KTIME_SCALAR
• Next by Date: [patch 04/60] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series
• Previous by thread: [patch 02/60] NET: random : secure_tcp_sequence_number should not assume CONFIG_KTIME_SCALAR
• Next by thread: [patch 04/60] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]