summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLiping Zhang <zlpnobody@gmail.com>2017-04-01 20:55:44 +0800
committerPablo Neira Ayuso <pablo@netfilter.org>2017-04-08 23:52:16 +0200
commit3173d5b8c89e67fa3176292ff9af06f09f365348 (patch)
tree003c7716e5989830dfe5d1fff85718929d852a39 /net
parent8b5995d0633b04f9a0d321a7cc77e386440730cf (diff)
downloadlinux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.tar.gz
linux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.tar.bz2
linux-stable-3173d5b8c89e67fa3176292ff9af06f09f365348.zip
netfilter: ctnetlink: make it safer when checking the ct helper name
One CPU is doing ctnetlink_change_helper(), while another CPU is doing unhelp() at the same time. So even if help->helper is not NULL at first, the later statement strcmp(help->helper->name, ...) may still access the NULL pointer. So we must use rcu_read_lock and rcu_dereference to avoid such _bad_ thing happen. Fixes: f95d7a46bc57 ("netfilter: ctnetlink: Fix regression in CTA_HELP processing") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_netlink.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 06d28ac663df..f9c643bc1a8e 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1488,11 +1488,16 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
* treat the second attempt as a no-op instead of returning
* an error.
*/
- if (help && help->helper &&
- !strcmp(help->helper->name, helpname))
- return 0;
- else
- return -EBUSY;
+ err = -EBUSY;
+ if (help) {
+ rcu_read_lock();
+ helper = rcu_dereference(help->helper);
+ if (helper && !strcmp(helper->name, helpname))
+ err = 0;
+ rcu_read_unlock();
+ }
+
+ return err;
}
if (!strcmp(helpname, "")) {