diff options
author | Pekka Enberg <penberg@cs.helsinki.fi> | 2008-07-26 20:49:33 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-07-26 20:49:33 -0400 |
commit | 93bc4e89c260d91576840c4881d1066d84ccd422 (patch) | |
tree | 456176a054fc9a3fed18ac6ce50c7a34a86c5808 /net | |
parent | 3918fed5f31213067c1c345bd904e1ea369e6819 (diff) |
netfilter: fix double-free and use-after free
As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.
Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Tested-by: Dieter Ries <clip2@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_conntrack_extend.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index 3469bc71a385..c956ef7eeecb 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c | |||
@@ -95,7 +95,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp) | |||
95 | newlen = newoff + t->len; | 95 | newlen = newoff + t->len; |
96 | rcu_read_unlock(); | 96 | rcu_read_unlock(); |
97 | 97 | ||
98 | new = krealloc(ct->ext, newlen, gfp); | 98 | new = __krealloc(ct->ext, newlen, gfp); |
99 | if (!new) | 99 | if (!new) |
100 | return NULL; | 100 | return NULL; |
101 | 101 | ||