]> git.baikalelectronics.ru Git - kernel.git/commitdiff
projects / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3345c4a)
netfilter: conntrack: re-fetch conntrack after insertion
authorFlorian Westphal <fw@strlen.de>
Thu, 19 May 2022 22:02:04 +0000 (00:02 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 27 May 2022 09:16:34 +0000 (11:16 +0200)
In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.

This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.

Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 82ae35d224ae ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 0b331c716b85 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_conntrack_core.h patch | blob | history

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 6406cfee34c2d646eb2aa04ddcc0de9f72cd7159..37866c8386e234b261e5f665db29110bea262e06 100644 (file)
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
        int ret = NF_ACCEPT;
 
        if (ct) {
-               if (!nf_ct_is_confirmed(ct))
+               if (!nf_ct_is_confirmed(ct)) {
                        ret = __nf_conntrack_confirm(skb);
+
+                       if (ret == NF_ACCEPT)
+                               ct = (struct nf_conn *)skb_nfct(skb);
+               }
+
                if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct))
                        nf_ct_deliver_cached_events(ct);
        }
Linux Kernel Source Tree.