diff options
| author | Gao feng <gaofeng@cn.fujitsu.com> | 2013-06-24 05:04:02 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-24 11:10:44 -0400 |
| commit | c8fc51cfa758be945c6113a4b446e0159070f768 (patch) | |
| tree | 7fe9bb354958c4453a7fa03dcbe5ffe9b4696594 /net | |
| parent | 797a7d66d2048fe8a4ac1ba58c5d4752d64b1ac4 (diff) | |
netfilter: ipt_ULOG: fix incorrect setting of ulog timer
The parameter of setup_timer should be &ulog->nlgroup[i].
the incorrect parameter will cause kernel panic in
ulog_timer.
Bug introducted in commit 355430671ad93546b34b4e91bdf720f3a704efa4
"netfilter: ipt_ULOG: add net namespace support for ipt_ULOG"
ebt_ULOG doesn't have this problem.
[ I have mangled this patch to fix nlgroup != 0 case, we were
also crashing there --pablo ]
Tested-by: George Spelvin <linux@horizon.com>
Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index ff4b781b1056..32b0e978c8e0 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
| @@ -125,15 +125,16 @@ static void ulog_send(struct ulog_net *ulog, unsigned int nlgroupnum) | |||
| 125 | /* timer function to flush queue in flushtimeout time */ | 125 | /* timer function to flush queue in flushtimeout time */ |
| 126 | static void ulog_timer(unsigned long data) | 126 | static void ulog_timer(unsigned long data) |
| 127 | { | 127 | { |
| 128 | unsigned int groupnum = *((unsigned int *)data); | ||
| 128 | struct ulog_net *ulog = container_of((void *)data, | 129 | struct ulog_net *ulog = container_of((void *)data, |
| 129 | struct ulog_net, | 130 | struct ulog_net, |
| 130 | nlgroup[*(unsigned int *)data]); | 131 | nlgroup[groupnum]); |
| 131 | pr_debug("timer function called, calling ulog_send\n"); | 132 | pr_debug("timer function called, calling ulog_send\n"); |
| 132 | 133 | ||
| 133 | /* lock to protect against somebody modifying our structure | 134 | /* lock to protect against somebody modifying our structure |
| 134 | * from ipt_ulog_target at the same time */ | 135 | * from ipt_ulog_target at the same time */ |
| 135 | spin_lock_bh(&ulog->lock); | 136 | spin_lock_bh(&ulog->lock); |
| 136 | ulog_send(ulog, data); | 137 | ulog_send(ulog, groupnum); |
| 137 | spin_unlock_bh(&ulog->lock); | 138 | spin_unlock_bh(&ulog->lock); |
| 138 | } | 139 | } |
| 139 | 140 | ||
| @@ -407,8 +408,11 @@ static int __net_init ulog_tg_net_init(struct net *net) | |||
| 407 | 408 | ||
| 408 | spin_lock_init(&ulog->lock); | 409 | spin_lock_init(&ulog->lock); |
| 409 | /* initialize ulog_buffers */ | 410 | /* initialize ulog_buffers */ |
| 410 | for (i = 0; i < ULOG_MAXNLGROUPS; i++) | 411 | for (i = 0; i < ULOG_MAXNLGROUPS; i++) { |
| 411 | setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, i); | 412 | ulog->nlgroup[i] = i; |
| 413 | setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, | ||
| 414 | (unsigned long)&ulog->nlgroup[i]); | ||
| 415 | } | ||
| 412 | 416 | ||
| 413 | ulog->nflognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg); | 417 | ulog->nflognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg); |
| 414 | if (!ulog->nflognl) | 418 | if (!ulog->nflognl) |