On Tue, Mar 21, 2017 at 03:07:10PM +0800, Jeffy Chen wrote:
> We have memory leaks of nf_conntrack_helper & expect_policy.
>
> Signed-off-by: Jeffy Chen <jeffy.chen@xxxxxxxxxxxxxx>
> ---
>
> net/netfilter/nfnetlink_cthelper.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
> index de87823..99d4bd7 100644
> --- a/net/netfilter/nfnetlink_cthelper.c
> +++ b/net/netfilter/nfnetlink_cthelper.c
> @@ -191,6 +191,8 @@ nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
> if (ret < 0)
> goto err;
> }
> +
> + kfree(helper->expect_policy);
> helper->expect_policy = expect_policy;
This is fixing the leak, however this is not safe since a packet may
be still walking on the older helper->expect_policy.
old_expect_policy = helper->expect_policy);
helper->expect_policy = expect_policy;
kfree(old_expect_policy);
We need to protect this with RCU if we want to support expectation
policy updates properly.
I'm going to take this patch, but we have to follow up on this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
