Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6d9719ef authored by Florian Westphal's avatar Florian Westphal Committed by Greg Kroah-Hartman
Browse files

netfilter: nf_queue: don't assume sk is full socket 



commit 747670fd9a2d1b7774030dba65ca022ba442ce71 upstream.

There is no guarantee that state->sk refers to a full socket.

If refcount transitions to 0, sock_put calls sk_free which then ends up
with garbage fields.

I'd like to thank Oleksandr Natalenko and Jiri Benc for considerable
debug work and pointing out state->sk oddities.

Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener")
Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 94c115d1

net/netfilter/nf_queue.c

+10 −1
Original line number Original line Diff line number Diff line
@@ -46,6 +46,15 @@ void nf_unregister_queue_handler(struct net *net) 
}

}

EXPORT_SYMBOL(nf_unregister_queue_handler);

EXPORT_SYMBOL(nf_unregister_queue_handler);





static void nf_queue_sock_put(struct sock *sk)

{

#ifdef CONFIG_INET

	sock_gen_put(sk);

#else

	sock_put(sk);

#endif

}



void nf_queue_entry_release_refs(struct nf_queue_entry *entry)

void nf_queue_entry_release_refs(struct nf_queue_entry *entry)

{

{

	struct nf_hook_state *state = &entry->state;

	struct nf_hook_state *state = &entry->state;
@@ -56,7 +65,7 @@ void nf_queue_entry_release_refs(struct nf_queue_entry *entry) 
	if (state->out)

	if (state->out)

		dev_put(state->out);

		dev_put(state->out);

	if (state->sk)

	if (state->sk)

		sock_put(state->sk);

		nf_queue_sock_put(state->sk);

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

	if (entry->skb->nf_bridge) {

	if (entry->skb->nf_bridge) {

		struct net_device *physdev;

		struct net_device *physdev;