[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()

Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
Evgeniy Polyakov · David S. Miller
1 parent a5a97263a9
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);
...	...	@@ -109,7 +109,7 @@
109	109	rcu_read_lock();
110	110	t = rcu_dereference(nf_ct_ext_types[i]);
111	111	if (t && t->move)
112		- t->move(ct, ct->ext + ct->ext->offset[id]);
	112	+ t->move(ct, ct->ext + ct->ext->offset[i]);
113	113	rcu_read_unlock();
114	114	}
115	115	kfree(ct->ext);