| Message ID | 1491622728-55625-1-git-send-email-zlpnobody@163.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
On Sat, Apr 08, 2017 at 11:38:48AM +0800, Liping Zhang wrote: > From: Liping Zhang <zlpnobody@gmail.com> > > We should call module_put when the time policy is not found. Otherwise, > the related cthelper module cannot be removed anymore. > > It is easy to reproduce by typing the following command: > # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx Can we fix all leaks in the error path in one single patch for xt_CT? Feng sent me a patch to fix another issue there, so if either you or him send me one single patch to fix all xt_CT refcount leaks in one go, I'd appreciate. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, 2017-04-14 6:30 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>: >> We should call module_put when the time policy is not found. Otherwise, >> the related cthelper module cannot be removed anymore. >> >> It is easy to reproduce by typing the following command: >> # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx > > Can we fix all leaks in the error path in one single patch for xt_CT? Right. > Feng sent me a patch to fix another issue there, so if either you or > him send me one single patch to fix all xt_CT refcount leaks in one > go, I'd appreciate. Feng, since you spotted this issue earlier, can you send a new patch to do this? With a new patch name: "netfilter: xt_CT: fix refcnt leak on error path". Also you can add my: Signed-off-by: Liping Zhang <zlpnobody@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> -----Original Message----- > From: Liping Zhang [mailto:zlpnobody@gmail.com] > Hi Pablo, > > 2017-04-14 6:30 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>: > >> We should call module_put when the time policy is not found. > >> Otherwise, the related cthelper module cannot be removed anymore. > >> > >> It is easy to reproduce by typing the following command: > >> # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx > > > > Can we fix all leaks in the error path in one single patch for xt_CT? > > Right. > > > Feng sent me a patch to fix another issue there, so if either you or > > him send me one single patch to fix all xt_CT refcount leaks in one > > go, I'd appreciate. > > Feng, since you spotted this issue earlier, can you send a new patch to do this? > With a new patch name: "netfilter: xt_CT: fix refcnt leak on error path". Thanks. > > Also you can add my: > Signed-off-by: Liping Zhang <zlpnobody@gmail.com> No problem. Regards Feng -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index b008db0..841cfba 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -200,6 +200,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, struct xt_ct_target_info_v1 *info) { struct nf_conntrack_zone zone; + struct nf_conn_help *help; struct nf_conn *ct; int ret = -EOPNOTSUPP; @@ -248,7 +249,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, if (info->timeout[0]) { ret = xt_ct_set_timeout(ct, par, info->timeout); if (ret < 0) - goto err3; + goto err4; } __set_bit(IPS_CONFIRMED_BIT, &ct->status); nf_conntrack_get(&ct->ct_general); @@ -256,6 +257,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, info->ct = ct; return 0; +err4: + help = nfct_help(ct); + if (help) + module_put(help->helper->me); err3: nf_ct_tmpl_free(ct); err2: