netfilter: nfnl_cthelper: reject del request if helper obj is in use - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Liping Zhang <zlpnobody@gmail.com>	2017-05-07 17:01:56 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-15 13:42:29 +0300
commit	9338d7b4418e9996a7642867d8f6b482a6040ed6 (patch)
tree	5bf37ab11070434ed04c1bcfe12194925bfffd25 /mm
parent	d91fc59cd77c719f33eda65c194ad8f95a055190 (diff)
download	linux-9338d7b4418e9996a7642867d8f6b482a6040ed6.tar.xz

netfilter: nfnl_cthelper: reject del request if helper obj is in use

We can still delete the ct helper even if it is in use, this will cause a use-after-free error. In more detail, I mean: # nfct helper add ssdp inet udp # iptables -t raw -A OUTPUT -p udp -j CT --helper ssdp # nfct helper delete ssdp //--> oops, succeed! BUG: unable to handle kernel paging request at 000026ca IP: 0x26ca [...] Call Trace: ? ipv4_helper+0x62/0x80 [nf_conntrack_ipv4] nf_hook_slow+0x21/0xb0 ip_output+0xe9/0x100 ? ip_fragment.constprop.54+0xc0/0xc0 ip_local_out+0x33/0x40 ip_send_skb+0x16/0x80 udp_send_skb+0x84/0x240 udp_sendmsg+0x35d/0xa50 So add reference count to fix this issue, if ct helper is used by others, reject the delete request. Apply this patch: # nfct helper delete ssdp nfct v1.4.3: netlink error: Device or resource busy Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'mm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: