[conntrack-tools] fix: remove node from tx_list when the state-entry is destroy

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Sun Sep 21 14:01:12 CEST 2008 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=666ceb1e2cd71f844f5794a556c46b114764bca6
commit 666ceb1e2cd71f844f5794a556c46b114764bca6
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Sep 21 14:00:50 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Sep 21 14:00:50 2008 +0200

    fix: remove node from tx_list when the state-entry is destroy
    
    This patches fixes a race that triggers a read-after-free access
    to the tx_list. The state-entry is destroyed but it is still in the
    list. The fix removes the state-entry from the tx_list in the destroy
    path.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  666ceb1e2cd71f844f5794a556c46b114764bca6 (commit)
      from  ce7c1553d7720188447d0ae7f7f80ce033b5a8d8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 666ceb1e2cd71f844f5794a556c46b114764bca6
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sun Sep 21 14:00:50 2008 +0200

    fix: remove node from tx_list when the state-entry is destroy
    
    This patches fixes a race that triggers a read-after-free access
    to the tx_list. The state-entry is destroyed but it is still in the
    list. The fix removes the state-entry from the tx_list in the destroy
    path.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 src/sync-ftfw.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)
This patches fixes a race that triggers a read-after-free access
to the tx_list. The state-entry is destroyed but it is still in the
list. The fix removes the state-entry from the tx_list in the destroy
path.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c
index 5019d4e..4c1b536 100644
--- a/src/sync-ftfw.c
+++ b/src/sync-ftfw.c
@@ -70,12 +70,15 @@ static void cache_ftfw_del(struct us_conntrack *u, void *data)
 	struct cache_ftfw *cn = data;
 
 	/* this node is already out of the list */
-	if (list_empty(&cn->rs_list))
-	    	return;
-
-	/* no need for list_del_init since the entry is destroyed */
-	list_del(&cn->rs_list);
-	rs_list_len--;
+	if (!list_empty(&cn->rs_list)) {
+		/* no need for list_del_init since the entry is destroyed */
+		list_del(&cn->rs_list);
+		rs_list_len--;
+	}
+	if (!list_empty(&cn->tx_list)) {
+		list_del(&cn->tx_list);
+		tx_list_len--;
+	}
 }
 
 static struct cache_extra cache_ftfw_extra = {

More information about the netfilter-cvslog mailing list