Patchwork [FIX,V2] sip: add missing RCU reader lock

login
register
mail settings
Submitter holger@eitzenberger.org
Date Sept. 20, 2013, 8:43 p.m.
Message ID <20130920204304.GA12439@imap.eitzenberger.org>
Download mbox | patch
Permalink /patch/276801/
State Accepted
Headers show

Comments

holger@eitzenberger.org - Sept. 20, 2013, 8:43 p.m.
Hi,

I noticed that set_expected_rtp_rtcp() in net-next misses a 2nd
RCU reader lock when dereferencing the 2nd hook function.  Same
bug is present in kernel v3.8 at least.

This is a resend, which extend the RCU protected area as needed.

Please check.

 /Holger
Pablo Neira - Sept. 27, 2013, 2:14 p.m.
On Fri, Sep 20, 2013 at 10:43:04PM +0200, Holger Eitzenberger wrote:
> Hi,
> 
> I noticed that set_expected_rtp_rtcp() in net-next misses a 2nd
> RCU reader lock when dereferencing the 2nd hook function.  Same
> bug is present in kernel v3.8 at least.
> 
> This is a resend, which extend the RCU protected area as needed.

Applied to nf-next, thanks Holger.

I added to the description a short clarification, as Patrick mentioned,
this is comestic fix.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

sip: add missing RCU reader lock in set_expected_rtp_rtcp()

Currently set_expected_rtp_rtcp() in the SIP helper uses
rcu_dereference() two times to access two different NAT hook
functions.  However, only the first one is protected by the RCU
reader lock, but the 2nd isn't.

Fix it by extending the RCU protected area.

Signed-off-by: Holger Eitzenberger <holger.eitzenberger@sophos.com>

Index: net-next/net/netfilter/nf_conntrack_sip.c
===================================================================
--- net-next.orig/net/netfilter/nf_conntrack_sip.c
+++ net-next/net/netfilter/nf_conntrack_sip.c
@@ -966,7 +966,6 @@  static int set_expected_rtp_rtcp(struct
 #endif
 			skip_expect = 1;
 	} while (!skip_expect);
-	rcu_read_unlock();
 
 	base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 	rtp_port = htons(base_port);
@@ -980,8 +979,10 @@  static int set_expected_rtp_rtcp(struct
 			goto err1;
 	}
 
-	if (skip_expect)
+	if (skip_expect) {
+		rcu_read_unlock();
 		return NF_ACCEPT;
+	}
 
 	rtp_exp = nf_ct_expect_alloc(ct);
 	if (rtp_exp == NULL)
@@ -1012,6 +1013,7 @@  static int set_expected_rtp_rtcp(struct
 err2:
 	nf_ct_expect_put(rtp_exp);
 err1:
+	rcu_read_unlock();
 	return ret;
 }