[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
authorEvgeniy Polyakov <johnpol@2ka.mipt.ru>
Thu, 15 Nov 2007 23:52:32 +0000 (15:52 -0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 15 Nov 2007 23:52:32 +0000 (15:52 -0800)
Reported by Chuck Ebbert as:

https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14

This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nf_conntrack_extend.c

index a1a65a1313b3ecb7e0f16254ae2514cf0d3f7ef3..cf6ba6659a8080938b3aaaa44c6ef46d0a47ad72 100644 (file)
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
                        rcu_read_lock();
                        t = rcu_dereference(nf_ct_ext_types[i]);
                        if (t && t->move)
-                               t->move(ct, ct->ext + ct->ext->offset[id]);
+                               t->move(ct, ct->ext + ct->ext->offset[i]);
                        rcu_read_unlock();
                }
                kfree(ct->ext);