git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
nf_conntrack: avoid kernel pointer value leak in slab name
[pandora-kernel.git]
/
net
/
netfilter
/
nf_conntrack_core.c
diff --git
a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index
7202b06
..
c855673
100644
(file)
--- a/
net/netfilter/nf_conntrack_core.c
+++ b/
net/netfilter/nf_conntrack_core.c
@@
-247,12
+247,15
@@
static void death_by_event(unsigned long ul_conntrack)
{
struct nf_conn *ct = (void *)ul_conntrack;
struct net *net = nf_ct_net(ct);
{
struct nf_conn *ct = (void *)ul_conntrack;
struct net *net = nf_ct_net(ct);
+ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+
+ BUG_ON(ecache == NULL);
if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
/* bad luck, let's retry again */
if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
/* bad luck, let's retry again */
-
ct
->timeout.expires = jiffies +
+
ecache
->timeout.expires = jiffies +
(random32() % net->ct.sysctl_events_retry_timeout);
(random32() % net->ct.sysctl_events_retry_timeout);
- add_timer(&
ct
->timeout);
+ add_timer(&
ecache
->timeout);
return;
}
/* we've got the event delivered, now it's dying */
return;
}
/* we've got the event delivered, now it's dying */
@@
-266,6
+269,9
@@
static void death_by_event(unsigned long ul_conntrack)
void nf_ct_insert_dying_list(struct nf_conn *ct)
{
struct net *net = nf_ct_net(ct);
void nf_ct_insert_dying_list(struct nf_conn *ct)
{
struct net *net = nf_ct_net(ct);
+ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+
+ BUG_ON(ecache == NULL);
/* add this conntrack to the dying list */
spin_lock_bh(&nf_conntrack_lock);
/* add this conntrack to the dying list */
spin_lock_bh(&nf_conntrack_lock);
@@
-273,10
+279,10
@@
void nf_ct_insert_dying_list(struct nf_conn *ct)
&net->ct.dying);
spin_unlock_bh(&nf_conntrack_lock);
/* set a new timer to retry event delivery */
&net->ct.dying);
spin_unlock_bh(&nf_conntrack_lock);
/* set a new timer to retry event delivery */
- setup_timer(&
ct
->timeout, death_by_event, (unsigned long)ct);
-
ct
->timeout.expires = jiffies +
+ setup_timer(&
ecache
->timeout, death_by_event, (unsigned long)ct);
+
ecache
->timeout.expires = jiffies +
(random32() % net->ct.sysctl_events_retry_timeout);
(random32() % net->ct.sysctl_events_retry_timeout);
- add_timer(&
ct
->timeout);
+ add_timer(&
ecache
->timeout);
}
EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
}
EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
@@
-776,7
+782,7
@@
init_conntrack(struct net *net, struct nf_conn *tmpl,
if (exp->helper) {
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
if (help)
if (exp->helper) {
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
if (help)
-
RCU_INIT_POINTER
(help->helper, exp->helper);
+
rcu_assign_pointer
(help->helper, exp->helper);
}
#ifdef CONFIG_NF_CONNTRACK_MARK
}
#ifdef CONFIG_NF_CONNTRACK_MARK
@@
-1487,6
+1493,7
@@
err_proto:
static int nf_conntrack_init_net(struct net *net)
{
static int nf_conntrack_init_net(struct net *net)
{
+ static atomic64_t unique_id;
int ret;
atomic_set(&net->ct.count, 0);
int ret;
atomic_set(&net->ct.count, 0);
@@
-1498,7
+1505,8
@@
static int nf_conntrack_init_net(struct net *net)
goto err_stat;
}
goto err_stat;
}
- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
+ (u64)atomic64_inc_return(&unique_id));
if (!net->ct.slabname) {
ret = -ENOMEM;
goto err_slabname;
if (!net->ct.slabname) {
ret = -ENOMEM;
goto err_slabname;