[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()

Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: N Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: N David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: N Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: N David S. Miller <davem@davemloft.net>
77996525 · Evgeniy Polyakov · David S. Miller · a5a97263 · 77996525
显示空白变更内容
内联并排

Showing with 1 addition and 1 deletion

net/netfilter/nf_conntrack_extend.c net/netfilter/nf_conntrack_extend.c +1 -1

未找到文件。
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);