From d04b4f8c1c9766e49fad6a141fc61cb30db69a5c Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Fri, 22 Jul 2005 12:50:29 -0700 Subject: [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) The portptr pointing to the port in the conntrack tuple is declared static, which could result in memory corruption when two packets of the same protocol are NATed at the same time and one conntrack goes away. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv4/netfilter/ip_nat_proto_tcp.c | 3 ++- net/ipv4/netfilter/ip_nat_proto_udp.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'net/ipv4') diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c index a91cfceff272..a98e36d2b3c6 100644 --- a/net/ipv4/netfilter/ip_nat_proto_tcp.c +++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c @@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple, enum ip_nat_manip_type maniptype, const struct ip_conntrack *conntrack) { - static u_int16_t port, *portptr; + static u_int16_t port; + u_int16_t *portptr; unsigned int range_size, min, i; if (maniptype == IP_NAT_MANIP_SRC) diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c index c669e3b5f5d0..9f66e5625664 100644 --- a/net/ipv4/netfilter/ip_nat_proto_udp.c +++ b/net/ipv4/netfilter/ip_nat_proto_udp.c @@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple, enum ip_nat_manip_type maniptype, const struct ip_conntrack *conntrack) { - static u_int16_t port, *portptr; + static u_int16_t port; + u_int16_t *portptr; unsigned int range_size, min, i; if (maniptype == IP_NAT_MANIP_SRC) -- cgit v1.2.2