Gitweb:
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7799652557d966e49512479f4d3b9079bbc01fff
Commit: 7799652557d966e49512479f4d3b9079bbc01fff
Parent: a5a97263a9fd6a94f954d41ae3233ea65a90bd8a
Author: Evgeniy Polyakov <[EMAIL PROTECTED]>
AuthorDate: Thu Nov 15 15:52:32 2007 -0800
Committer: David S. Miller <[EMAIL PROTECTED]>
CommitDate: Thu Nov 15 15:52:32 2007 -0800
[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
Reported by Chuck Ebbert as:
https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14
This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.
Signed-off-by: Evgeniy Polyakov <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
net/netfilter/nf_conntrack_extend.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/nf_conntrack_extend.c
b/net/netfilter/nf_conntrack_extend.c
index a1a65a1..cf6ba66 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id
id, gfp_t gfp)
rcu_read_lock();
t = rcu_dereference(nf_ct_ext_types[i]);
if (t && t->move)
- t->move(ct, ct->ext + ct->ext->offset[id]);
+ t->move(ct, ct->ext + ct->ext->offset[i]);
rcu_read_unlock();
}
kfree(ct->ext);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
