netfilter: nf_ct_sip: extend RCU read lock in set_expected_rtp_rtcp()

Currently set_expected_rtp_rtcp() in the SIP helper uses
rcu_dereference() two times to access two different NAT hook
functions. However, only the first one is protected by the RCU
reader lock, but the 2nd isn't. Fix it by extending the RCU
protected area.

This is more a cosmetic thing since we rely on all netfilter hooks
being rcu_read_lock()ed by nf_hook_slow() in many places anyways,
as Patrick McHardy clarified.

Signed-off-by: Holger Eitzenberger <holger.eitzenberger@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index e0c4373b4747..5ed8c441dffd 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -966,7 +966,6 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
 #endif
                         skip_expect = 1;
         } while (!skip_expect);
-        rcu_read_unlock();
 
         base_port = ntohs(tuple.dst.u.udp.port) & ~1;
         rtp_port = htons(base_port);
@@ -980,8 +979,10 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
                         goto err1;
         }
 
-        if (skip_expect)
+        if (skip_expect) {
+                rcu_read_unlock();
                 return NF_ACCEPT;
+        }
 
         rtp_exp = nf_ct_expect_alloc(ct);
         if (rtp_exp == NULL)
@@ -1012,6 +1013,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
 err2:
         nf_ct_expect_put(rtp_exp);
 err1:
+        rcu_read_unlock();
         return ret;
 }