From patchwork Fri Sep 20 20:43:04 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: holger@eitzenberger.org
X-Patchwork-Id: 276801
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 053F92C0138
	for <incoming@patchwork.ozlabs.org>;
	Sat, 21 Sep 2013 06:43:10 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754596Ab3ITUnI (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Fri, 20 Sep 2013 16:43:08 -0400
Received: from moutng.kundenserver.de ([212.227.17.10]:50022 "EHLO
	moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752358Ab3ITUnH (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Fri, 20 Sep 2013 16:43:07 -0400
Received: from kruemel.eitzenberger.org (p54AD46FA.dip0.t-ipconnect.de
	[84.173.70.250])
	by mrelayeu.kundenserver.de (node=mrbap4) with ESMTP (Nemesis)
	id 0MHG1D-1VAgws2qEF-00E4Yw; Fri, 20 Sep 2013 22:43:06 +0200
Received: from holger by kruemel.eitzenberger.org with local (Exim 4.76)
	(envelope-from <holger@eitzenberger.org>)
	id 1VN7Xc-0005d6-Qn; Fri, 20 Sep 2013 22:43:04 +0200
Date: Fri, 20 Sep 2013 22:43:04 +0200
From: Holger Eitzenberger <holger@eitzenberger.org>
To: netfilter-devel <netfilter-devel@vger.kernel.org>
Cc: Patrick McHardy <kaber@trash.net>
Subject: [FIX V2] sip: add missing RCU reader lock
Message-ID: <20130920204304.GA12439@imap.eitzenberger.org>
Mail-Followup-To: netfilter-devel <netfilter-devel@vger.kernel.org>,
	Patrick McHardy <kaber@trash.net>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Provags-ID: V02:K0:Ek1hAr5tFnwBu0EXj1ucpTrGlN8m/pSCeyQP/40s4O/
	EMWvaNkl/lva3S4fJ+cfdZzBVdZ3qhOp2PQRsP2lbVHxHhdZQB
	8NJPyNLGM68851EHqI4HUby3vN5kAPlN5mupVGKOJwZ/t9JFoh
	cumCkLFKogHyje0kOt9wDpxlsSRhmdircDn8ikIDhskuPUItL8
	hxOecUWYJ9MjpWm3Y40rLSdmr4qCafQmC3ROku0Or0BJy4sNGb
	FsHVHdeSteaddX+IHHSczyqatsn71AOBqL30UsGakq09innyL7
	DLvi+KXyOo82bl9ICFj4PBt85rsVWgQYgB8LFD8ybadzfB4ofA
	IpD9i94OgrJdMipH3HVZMRyUIgj964AavszUYRhk6lhpMjEhPO
	PyQKT9f5jdj05a0zxKwAuaIP/iB5a6WsPk=
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Hi,

I noticed that set_expected_rtp_rtcp() in net-next misses a 2nd
RCU reader lock when dereferencing the 2nd hook function.  Same
bug is present in kernel v3.8 at least.

This is a resend, which extend the RCU protected area as needed.

Please check.

 /Holger

sip: add missing RCU reader lock in set_expected_rtp_rtcp()

Currently set_expected_rtp_rtcp() in the SIP helper uses
rcu_dereference() two times to access two different NAT hook
functions.  However, only the first one is protected by the RCU
reader lock, but the 2nd isn't.

Fix it by extending the RCU protected area.

Signed-off-by: Holger Eitzenberger <holger.eitzenberger@sophos.com>

Index: net-next/net/netfilter/nf_conntrack_sip.c
===================================================================
--- net-next.orig/net/netfilter/nf_conntrack_sip.c
+++ net-next/net/netfilter/nf_conntrack_sip.c
@@ -966,7 +966,6 @@ static int set_expected_rtp_rtcp(struct
 #endif
 			skip_expect = 1;
 	} while (!skip_expect);
-	rcu_read_unlock();
 
 	base_port = ntohs(tuple.dst.u.udp.port) & ~1;
 	rtp_port = htons(base_port);
@@ -980,8 +979,10 @@ static int set_expected_rtp_rtcp(struct
 			goto err1;
 	}
 
-	if (skip_expect)
+	if (skip_expect) {
+		rcu_read_unlock();
 		return NF_ACCEPT;
+	}
 
 	rtp_exp = nf_ct_expect_alloc(ct);
 	if (rtp_exp == NULL)
@@ -1012,6 +1013,7 @@ static int set_expected_rtp_rtcp(struct
 err2:
 	nf_ct_expect_put(rtp_exp);
 err1:
+	rcu_read_unlock();
 	return ret;
 }