> From: Florian Westphal [mailto:fw@xxxxxxxxx] > Subject: [PATCH nf] netfilter: expect: fix crash when putting uninited > expectation > > We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the > uninitialised expectation instead of existing one, so del_timer chokes on > random memory address. > > Fixes: ec0e3f01114ad32711243 ("netfilter: nf_ct_expect: Add > nf_ct_remove_expect()") > Reported-by: Sergey Kvachonok <ravenexp@xxxxxxxxx> > Tested-by: Sergey Kvachonok <ravenexp@xxxxxxxxx> > Cc: Gao Feng <fgao@xxxxxxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > net/netfilter/nf_conntrack_expect.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_conntrack_expect.c > b/net/netfilter/nf_conntrack_expect.c > index e03d16ed550d..899c2c36da13 100644 > --- a/net/netfilter/nf_conntrack_expect.c > +++ b/net/netfilter/nf_conntrack_expect.c > @@ -422,7 +422,7 @@ static inline int __nf_ct_expect_check(struct > nf_conntrack_expect *expect) > h = nf_ct_expect_dst_hash(net, &expect->tuple); > hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) { > if (expect_matches(i, expect)) { > - if (nf_ct_remove_expect(expect)) > + if (nf_ct_remove_expect(i)) Thanks your fix. It's a typo indeed. Best Regards Feng > break; > } else if (expect_clash(i, expect)) { > ret = -EBUSY; > -- > 2.13.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
