On Fri, Mar 27, 2015 at 07:37:41PM +0100, Daniel Borkmann wrote:
> While originally only being intended for outgoing traffic, commit
> a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for
> LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook
> as well, in order to allow for nfacct accounting.
>
> Besides being currently limited to early demuxes only, commit
> a00e76349f35 forgot to add a check if we deal with full sockets,
> i.e. in this case not with time wait sockets. TCP time wait sockets
> do not have the same memory layout as full sockets, a lower memory
> footprint and consequently also don't have a sk_classid member;
> probing for sk_classid member there could potentially lead to a
> crash.
Mangled this patch and applied to nf-next. I'll pass this to -stable
using this as backport. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
