Patchwork [4/4] netfilter: ipset: dumping error triggered removing references twice

login
register
mail settings
Submitter Pablo Neira
Date Jan. 17, 2012, 11:04 a.m.
Message ID <1326798289-11592-5-git-send-email-pablo@netfilter.org>
Download mbox | patch
Permalink /patch/136448/
State Accepted
Delegated to: David Miller
Headers show

Comments

Pablo Neira - Jan. 17, 2012, 11:04 a.m.
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
Reported by Jean-Philippe Menil.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_core.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

Patch

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 0f8e5f2..32dbf0f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@  release_refcount:
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
 		ip_set_put_byindex(index);
+		cb->args[2] = 0;
 	}
 out:
 	if (nlh) {