From patchwork Fri Sep 2 01:48:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6auY5bOw?= X-Patchwork-Id: 665102 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3sQMgy3YRyz9sf6 for ; Fri, 2 Sep 2016 11:57:18 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751337AbcIBB5R (ORCPT ); Thu, 1 Sep 2016 21:57:17 -0400 Received: from smtpbg342.qq.com ([14.17.44.37]:43639 "EHLO smtpbg342.qq.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750771AbcIBB5R (ORCPT ); Thu, 1 Sep 2016 21:57:17 -0400 X-Greylist: delayed 501 seconds by postgrey-1.27 at vger.kernel.org; Thu, 01 Sep 2016 21:57:16 EDT X-QQ-mid: bizesmtp8t1472780916ta8o17rpq Received: from localhost.localdomain (unknown [123.56.230.35]) by esmtp4.qq.com (ESMTP) with id ; Fri, 02 Sep 2016 09:48:27 +0800 (CST) X-QQ-SSF: 01400000004000F0FG30000A0000000 X-QQ-FEAT: R/yWRekfFcq18wZyuyLjl3xaN3lJ5GA38uTNubwcHDFih72XPl0YZU/4fMbnO UAVAY8x5qksLQyiFPhud6TWoZuOAi2fBmrb7BjNha1mw1K7EP0uXOJ2TOXuj/pEKOpR2B/p m2zgcwlzsBYlhmXPG4WTKhz/xpR2qzvHzr6R28hV1XiUPFDqIYAsw++p5RSQFCVWtGmfAeK /F8guwZ+Lr18S780StcV2xoOw2y3ZSoQ3LQX0VkXpn4c1bZjLHN+CkUAQYNSyo6cuj4qm/o /Fsg== X-QQ-GoodBg: 2 From: fgao@ikuai8.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Cc: gfree.wind@gmail.com, Gao Feng Subject: [PATCH 1/2 nf] netfilter: seqadj: Fix some possible panics of seqadj when mem is exhausted Date: Fri, 2 Sep 2016 09:48:25 +0800 Message-Id: <1472780905-13094-1-git-send-email-fgao@ikuai8.com> X-Mailer: git-send-email 1.9.1 X-QQ-SENDSIZE: 520 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Gao Feng When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj extension. But these interface functions nf_ct_seqadj_init and nf_ct_seq_adjust don't check if they get the valid seqadj pointer by the nfct_seqadj, while nf_ct_seqadj_set and nf_ct_seq_offset perform that check. So the system would be panic when nfct_seqadj_ext_add failed. Signed-off-by: Gao Feng --- net/netfilter/nf_conntrack_seqadj.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c index dff0f0c..2a2fd0e 100644 --- a/net/netfilter/nf_conntrack_seqadj.c +++ b/net/netfilter/nf_conntrack_seqadj.c @@ -16,9 +16,14 @@ int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo, if (off == 0) return 0; + seqadj = nfct_seqadj(ct); + if (unlikely(!seqadj)) { + WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n"); + return 0; + } + set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); - seqadj = nfct_seqadj(ct); this_way = &seqadj->seq[dir]; this_way->offset_before = off; this_way->offset_after = off; @@ -171,6 +176,11 @@ int nf_ct_seq_adjust(struct sk_buff *skb, struct nf_ct_seqadj *this_way, *other_way; int res; + if (unlikely(!seqadj)) { + WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n"); + return 0; + } + this_way = &seqadj->seq[dir]; other_way = &seqadj->seq[!dir]; @@ -218,8 +228,10 @@ s32 nf_ct_seq_offset(const struct nf_conn *ct, struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); struct nf_ct_seqadj *this_way; - if (!seqadj) + if (unlikely(!seqadj)) { + WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n"); return 0; + } this_way = &seqadj->seq[dir]; return after(seq, this_way->correction_pos) ?