On Thu, Feb 06, 2014 at 05:00:34PM +0100, Pablo Neira Ayuso wrote:
> If you add a rule using intervals+map that introduces a loop, the
> error path of the rbtree set decrements the chain refcount for each
> side of the interval, leading to a chain use counter underflow.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nft_rbtree.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
> index ca0c1b2..b18e88b 100644
> --- a/net/netfilter/nft_rbtree.c
> +++ b/net/netfilter/nft_rbtree.c
> @@ -69,8 +69,10 @@ static void nft_rbtree_elem_destroy(const struct nft_set *set,
> struct nft_rbtree_elem *rbe)
> {
> nft_data_uninit(&rbe->key, NFT_DATA_VALUE);
> - if (set->flags & NFT_SET_MAP)
> + if (set->flags & NFT_SET_MAP &&
> + !(rbe->flags & NFT_SET_ELEM_INTERVAL_END))
> nft_data_uninit(rbe->data, set->dtype);
> +
That can't be correct. The NFT_SET_ELEM_INTERVAL_END can at the same
time begin a new interval, so this code is supposed to be like this.
There can also only be a chain reference here if we took one before
during initialization.
Please provide a test case so I can try myself.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
