From: Gao Feng
The helper module would be unloaded after nf_conntrack_helper_unregister,
so it may cause a possible panic caused by race.
nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL,
but maybe someone has gotten the helper pointer during this period. Then
it would
On Tue, Jun 12, 2018 at 08:31:49PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 12, 2018 at 01:25:35PM +1000, Duncan Roe wrote:
> > gcc 8.1 warns when it can detect that a strncpy may result in a string with
> > no
> > null terminator. It also warns when it can similarly detect that an
> >
On Tue, Jun 12, 2018 at 08:04:56PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 12, 2018 at 10:51:34AM -0700, Yi-Hung Wei wrote:
> > Currently, we use check_hlist() for garbage colleciton. However, we
> > use the ‘zone’ from the counted entry to query the existence of
> > existing entries in the
Currently, we use check_hlist() for garbage colleciton. However, we
use the ‘zone’ from the counted entry to query the existence of
existing entries in the hlist. This could be wrong when they are in
different zones, and this patch fixes this issue.
Signed-off-by: Yi-Hung Wei
---
This fix is
On Sat, Jun 09, 2018 at 11:04:27PM +0530, Arushi Singhal wrote:
> To run the test suite (as root):
> % cd iptables/tests/shell
> % ./run-tests.sh
>
> Test files are executables files with the pattern <> , where
> N is the expected return code of the executable. Since they are
> located with
On Mon, Jun 11, 2018 at 10:16:33PM +0900, Taehee Yoo wrote:
> When depth of chain is bigger than NFT_JUMP_STACK_SIZE,
> the nft_do_chain crashes.
> But there is no need to crash hard here.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
On Mon, Jun 11, 2018 at 01:20:36PM +0200, Florian Westphal wrote:
> If net namespace is exiting while nf_tables module is being removed
> we can oops:
>
> BUG: unable to handle kernel NULL pointer dereference at 0040
> IP: nf_tables_flowtable_event+0x43/0xf0 [nf_tables]
> PGD 0 P4D
On Mon, Jun 11, 2018 at 01:20:35PM +0200, Florian Westphal wrote:
> We must first remove the nfnetlink protocol handler when nf_tables module
> is unloaded -- we don't want userspace to submit new change requests once
> we've started to tear down nft state.
Applied, thanks.
--
To unsubscribe from
On Tue, Jun 12, 2018 at 06:36:19PM +0200, Florian Westphal wrote:
> This needs to use xt_unregister_targets, else new revision is left
> on the list which then causes list to point to a target struct that has been
> free'd.
Aplied, thanks.
--
To unsubscribe from this list: send the line
On Mon, Jun 11, 2018 at 10:22:19PM +0200, Florian Westphal wrote:
> Dan Carpenter points out that deref occurs after NULL check, we should
> re-fetch the pointer and check that instead.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
Pablo Neira Ayuso wrote:
> > Unrelated to your patch: I think timeout handling is braindead
> > in current conntrack, we should revisit this.
>
> By now, I think it's fine as is, I mean using the template, so
> Harsha/someone else can have a look at this in a second step.
Yes, sure. Its on my
On Tue, Jun 12, 2018 at 03:21:35PM +0200, Florian Westphal wrote:
> Harsha Sharma wrote:
> > +ctnl_timeout_parse_policy(void *timeouts,
> > + const struct nf_conntrack_l4proto *l4proto,
> > + struct net *net, const struct nlattr *attr)
> > +{
> > + int
This needs to use xt_unregister_targets, else new revision is left
on the list which then causes list to point to a target struct that has been
free'd.
Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for
CONNMARK & MARK targets.")
Signed-off-by: Florian Westphal
---
diff
Harsha Sharma wrote:
> +ctnl_timeout_parse_policy(void *timeouts,
> + const struct nf_conntrack_l4proto *l4proto,
> + struct net *net, const struct nlattr *attr)
> +{
> + int ret = 0;
> + struct nlattr **tb;
> +
> + if
14 matches
Mail list logo