[ovs-dev,v2] conntrack: Fix ct-clean thread crash bug
diff mbox

Message ID 1503642323-12248-1-git-send-email-huanglili.huang@huawei.com
State Accepted
Delegated to: Darrell Ball
Headers show

Commit Message

huanglili Aug. 25, 2017, 6:25 a.m. UTC
From: Lili Huang <huanglili.huang@huawei.com>

Conn should be removed from the list before freed.

This crash will be triggered when a established flow do ct(nat)
again, like
"ip,actions=ct(table=1)
 table=1,in_port=1,ip,actions=ct(commit,nat(dst=5.5.5.5)),2
 table=1,in_port=2,ip,ct_state=+est,actions=1
 table=1,in_port=1,ip,ct_state=+est,actions=2"

Signed-off-by: Lili Huang <huanglili.huang@huawei.com>
---
 lib/conntrack.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Darrell Ball Aug. 25, 2017, 9:28 p.m. UTC | #1
Thanks for the fix Lili

I also updated AUTHORS.rst, since I did not find your name there.

I also added a Fixes tag and more detail to the commit message.

and applied the patch to dpdk_merge here

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_darball_ovs_commits_dpdk-5Fmerge&d=DwIGaQ&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=A2_FCacqbp2moAo3HGFlTuxsjONUGhlN42OBcAuQQ6w&s=b6btPKhgvOFr2GOUYvktND6kaC6jc3fXI-mXfvNgXOU&e=

This will need to go to 2.8 as well



On 8/24/17, 11:25 PM, "ovs-dev-bounces@openvswitch.org on behalf of huanglili" <ovs-dev-bounces@openvswitch.org on behalf of huanglili.huang@huawei.com> wrote:

    From: Lili Huang <huanglili.huang@huawei.com>
    
    Conn should be removed from the list before freed.
    
    This crash will be triggered when a established flow do ct(nat)
    again, like
    "ip,actions=ct(table=1)
     table=1,in_port=1,ip,actions=ct(commit,nat(dst=5.5.5.5)),2
     table=1,in_port=2,ip,ct_state=+est,actions=1
     table=1,in_port=1,ip,ct_state=+est,actions=2"
    
    Signed-off-by: Lili Huang <huanglili.huang@huawei.com>
    ---
     lib/conntrack.c | 1 +
     1 file changed, 1 insertion(+)
    
    diff --git a/lib/conntrack.c b/lib/conntrack.c
    index 1c0e023..4918aaf 100644
    --- a/lib/conntrack.c
    +++ b/lib/conntrack.c
    @@ -805,6 +805,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
          * against with firewall rules or a separate firewall.
          * Also using zone partitioning can limit DoS impact. */
     nat_res_exhaustion:
    +    ovs_list_remove(&nc->exp_node);
         delete_conn(nc);
         /* conn_for_un_nat_copy is a local variable in process_one; this
          * memset() serves to document that conn_for_un_nat_copy is from
    -- 
    1.8.3.1
    
    
    _______________________________________________
    dev mailing list
    dev@openvswitch.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=vuMxVczeFb3Q6uRGj0RiEHsArdAc_4l8bUJACE8IyPc&s=mpsnR_2mI9eB1-58_lKZlnjYscN74wQWSe_are1qZjs&e=

Patch
diff mbox

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 1c0e023..4918aaf 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -805,6 +805,7 @@  conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
      * against with firewall rules or a separate firewall.
      * Also using zone partitioning can limit DoS impact. */
 nat_res_exhaustion:
+    ovs_list_remove(&nc->exp_node);
     delete_conn(nc);
     /* conn_for_un_nat_copy is a local variable in process_one; this
      * memset() serves to document that conn_for_un_nat_copy is from