On Sun, May 07, 2017 at 10:01:56PM +0800, Liping Zhang wrote: > From: Liping Zhang <zlpnobody@xxxxxxxxx> > > We can still delete the ct helper even if it is in use, this will cause > a use-after-free error. In more detail, I mean: > # nfct helper add ssdp inet udp > # iptables -t raw -A OUTPUT -p udp -j CT --helper ssdp > # nfct helper delete ssdp //--> oops, succeed! > BUG: unable to handle kernel paging request at 000026ca > IP: 0x26ca > [...] > Call Trace: > ? ipv4_helper+0x62/0x80 [nf_conntrack_ipv4] > nf_hook_slow+0x21/0xb0 > ip_output+0xe9/0x100 > ? ip_fragment.constprop.54+0xc0/0xc0 > ip_local_out+0x33/0x40 > ip_send_skb+0x16/0x80 > udp_send_skb+0x84/0x240 > udp_sendmsg+0x35d/0xa50 > > So add reference count to fix this issue, if ct helper is used by > others, reject the delete request. > > Apply this patch: > # nfct helper delete ssdp > nfct v1.4.3: netlink error: Device or resource busy Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
