aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPekka Enberg <penberg@cs.helsinki.fi>2008-07-26 20:49:33 -0400
committerDavid S. Miller <davem@davemloft.net>2008-07-26 20:49:33 -0400
commit93bc4e89c260d91576840c4881d1066d84ccd422 (patch)
tree456176a054fc9a3fed18ac6ce50c7a34a86c5808 /net
parent3918fed5f31213067c1c345bd904e1ea369e6819 (diff)
netfilter: fix double-free and use-after free
As suggested by Patrick McHardy, introduce a __krealloc() that doesn't free the original buffer to fix a double-free and use-after-free bug introduced by me in netfilter that uses RCU. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi> Tested-by: Dieter Ries <clip2@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_extend.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 3469bc71a385..c956ef7eeecb 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -95,7 +95,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
95 newlen = newoff + t->len; 95 newlen = newoff + t->len;
96 rcu_read_unlock(); 96 rcu_read_unlock();
97 97
98 new = krealloc(ct->ext, newlen, gfp); 98 new = __krealloc(ct->ext, newlen, gfp);
99 if (!new) 99 if (!new)
100 return NULL; 100 return NULL;
101 101