[ Charset ISO-8859-1 unsupported, converting... ] > IPFilter crashed on Solaris 8 during a stress test. > > I found the reason is due to a NULL pointer dereference in > static void nat_delete(nat, logtype) > > when calling > > fr_deletequeueentry(&nat->nat_tqe); > > It appeared *nat->nat_tqe is NULL at that time as shown with MDB. .. > One possible fix would be check if nat->nat_tqe is not NULL as > > if (nat->nat_tqe) > fr_deletequeueentry(&nat->nat_tqe); > > I have a question, what can cause nat->nat_tqe = NULL but the rest of > nat entry is valid?
I think what has happened here is that an attempt to remove the NAT session has ben made (expire/flush) while a reference to it is still held somewhere else by IPFilter. When that other part of IPFilter is done with the NAT session, it calls nat_deref() and then we go "POP". So yes, the fix (above) is correct. Darren
