diff options
author | Liping Zhang <zlpnobody@gmail.com> | 2017-04-01 20:55:44 +0800 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-04-08 23:52:16 +0200 |
commit | 3173d5b8c89e67fa3176292ff9af06f09f365348 (patch) | |
tree | 003c7716e5989830dfe5d1fff85718929d852a39 /net | |
parent | 8b5995d0633b04f9a0d321a7cc77e386440730cf (diff) | |
download | linux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.tar.gz linux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.tar.bz2 linux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.zip |
netfilter: ctnetlink: make it safer when checking the ct helper name
One CPU is doing ctnetlink_change_helper(), while another CPU is doing
unhelp() at the same time. So even if help->helper is not NULL at first,
the later statement strcmp(help->helper->name, ...) may still access
the NULL pointer.
So we must use rcu_read_lock and rcu_dereference to avoid such _bad_
thing happen.
Fixes: f95d7a46bc57 ("netfilter: ctnetlink: Fix regression in CTA_HELP processing")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 06d28ac663df..f9c643bc1a8e 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1488,11 +1488,16 @@ static int ctnetlink_change_helper(struct nf_conn *ct, * treat the second attempt as a no-op instead of returning * an error. */ - if (help && help->helper && - !strcmp(help->helper->name, helpname)) - return 0; - else - return -EBUSY; + err = -EBUSY; + if (help) { + rcu_read_lock(); + helper = rcu_dereference(help->helper); + if (helper && !strcmp(helper->name, helpname)) + err = 0; + rcu_read_unlock(); + } + + return err; } if (!strcmp(helpname, "")) { |