netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists - linux

diff options

author	Liping Zhang <liping.zhang@spreadtrum.com>	2016-08-22 15:58:18 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-08-25 13:11:30 +0200
commit	533e33009897c7dd1b0424c0d4b3331b222d5681 (patch)
tree	a8167d525453b6f5871643412847d7d973814bd0 /include
parent	netfilter: cttimeout: put back l4proto when replacing timeout policy (diff)
download	linux-533e33009897c7dd1b0424c0d4b3331b222d5681.tar.xz linux-533e33009897c7dd1b0424c0d4b3331b222d5681.zip

netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr ffff880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: <IRQ> [<ffffffff815eeebb>] dump_stack+0x63/0x88 [<ffffffff813386f8>] kasan_report_error+0x528/0x560 [<ffffffff81338cc8>] kasan_report+0x58/0x60 [<ffffffffa07393f5>] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [<ffffffff81337551>] __asan_load4+0x61/0x80 [<ffffffffa07393f5>] icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [<ffffffffa06ecaa0>] nf_conntrack_in+0x550/0x980 [nf_conntrack] [<ffffffffa06ec550>] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack] [ ... ] The main reason is that we missed to unlink the timeout objects in the unconfirmed ct lists, so we will access the timeout objects that have already been freed. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: