diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-15 20:25:24 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-16 05:49:53 -0400 |
| commit | 2614f86490122bf51eb7c12ec73927f1900f4e7d (patch) | |
| tree | f490b8043d0a33f1a8b5cb2ffc7c9d92c16f729c /net/netfilter | |
| parent | 68e035c950dbceaf660144bf74054dfdfb6aad15 (diff) | |
netfilter: nf_ct_expect: fix possible access to uninitialized timer
In __nf_ct_expect_check, the function refresh_timer returns 1
if a matching expectation is found and its timer is successfully
refreshed. This results in nf_ct_expect_related returning 0.
Note that at this point:
- the passed expectation is not inserted in the expectation table
and its timer was not initialized, since we have refreshed one
matching/existing expectation.
- nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation
timer is in some undefined state just after the allocation,
until it is appropriately initialized.
This can be a problem for the SIP helper during the expectation
addition:
...
if (nf_ct_expect_related(rtp_exp) == 0) {
if (nf_ct_expect_related(rtcp_exp) != 0)
nf_ct_unexpect_related(rtp_exp);
...
Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh
case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp)
returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does:
spin_lock_bh(&nf_conntrack_lock);
if (del_timer(&exp->timeout)) {
nf_ct_unlink_expect(exp);
nf_ct_expect_put(exp);
}
spin_unlock_bh(&nf_conntrack_lock);
Note that del_timer always returns false if the timer has been
initialized. However, the timer was not initialized since setup_timer
was not called, therefore, the expectation timer remains in some
undefined state. If I'm not missing anything, this may lead to the
removal an unexistent expectation.
To fix this, the optimization that allows refreshing an expectation
is removed. Now nf_conntrack_expect_related looks more consistent
to me since it always add the expectation in case that it returns
success.
Thanks to Patrick McHardy for participating in the discussion of
this patch.
I think this may be the source of the problem described by:
http://marc.info/?l=netfilter-devel&m=134073514719421&w=2
Reported-by: Rafal Fitt <rafalf@aplusc.com.pl>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 29 |
1 files changed, 6 insertions, 23 deletions
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 45cf602a76bc..527651a53a45 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -361,23 +361,6 @@ static void evict_oldest_expect(struct nf_conn *master, | |||
| 361 | } | 361 | } |
| 362 | } | 362 | } |
| 363 | 363 | ||
| 364 | static inline int refresh_timer(struct nf_conntrack_expect *i) | ||
| 365 | { | ||
| 366 | struct nf_conn_help *master_help = nfct_help(i->master); | ||
| 367 | const struct nf_conntrack_expect_policy *p; | ||
| 368 | |||
| 369 | if (!del_timer(&i->timeout)) | ||
| 370 | return 0; | ||
| 371 | |||
| 372 | p = &rcu_dereference_protected( | ||
| 373 | master_help->helper, | ||
| 374 | lockdep_is_held(&nf_conntrack_lock) | ||
| 375 | )->expect_policy[i->class]; | ||
| 376 | i->timeout.expires = jiffies + p->timeout * HZ; | ||
| 377 | add_timer(&i->timeout); | ||
| 378 | return 1; | ||
| 379 | } | ||
| 380 | |||
| 381 | static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) | 364 | static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) |
| 382 | { | 365 | { |
| 383 | const struct nf_conntrack_expect_policy *p; | 366 | const struct nf_conntrack_expect_policy *p; |
| @@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) | |||
| 386 | struct nf_conn_help *master_help = nfct_help(master); | 369 | struct nf_conn_help *master_help = nfct_help(master); |
| 387 | struct nf_conntrack_helper *helper; | 370 | struct nf_conntrack_helper *helper; |
| 388 | struct net *net = nf_ct_exp_net(expect); | 371 | struct net *net = nf_ct_exp_net(expect); |
| 389 | struct hlist_node *n; | 372 | struct hlist_node *n, *next; |
| 390 | unsigned int h; | 373 | unsigned int h; |
| 391 | int ret = 1; | 374 | int ret = 1; |
| 392 | 375 | ||
| @@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) | |||
| 395 | goto out; | 378 | goto out; |
| 396 | } | 379 | } |
| 397 | h = nf_ct_expect_dst_hash(&expect->tuple); | 380 | h = nf_ct_expect_dst_hash(&expect->tuple); |
| 398 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { | 381 | hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) { |
| 399 | if (expect_matches(i, expect)) { | 382 | if (expect_matches(i, expect)) { |
| 400 | /* Refresh timer: if it's dying, ignore.. */ | 383 | if (del_timer(&i->timeout)) { |
| 401 | if (refresh_timer(i)) { | 384 | nf_ct_unlink_expect(i); |
| 402 | ret = 0; | 385 | nf_ct_expect_put(i); |
| 403 | goto out; | 386 | break; |
| 404 | } | 387 | } |
| 405 | } else if (expect_clash(i, expect)) { | 388 | } else if (expect_clash(i, expect)) { |
| 406 | ret = -EBUSY; | 389 | ret = -EBUSY; |