netfilter: nf_conntrack_helper: fix possible null deref during error log
Reported by sashiko: there is a small race window.
If a helper module is unloaded or a userspace-defined helper is
removed, nf_conntrack_helper_unregister() sets ->helper to NULL.
Handle this safely. This needs a second patch to close related
race during nf_conntrack_helper_unregister().
Fixes: b20ab9cc63 ("netfilter: nf_ct_helper: better logging for dropped packets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
master
Florian Westphal
Pablo Neira Ayuso
parent
93d809adc1
commit
1afc25ae75
|
|
@ -321,8 +321,8 @@ __printf(3, 4)
|
|||
void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
|
||||
const char *fmt, ...)
|
||||
{
|
||||
const char *helper_name = "(null)";
|
||||
const struct nf_conn_help *help;
|
||||
const struct nf_conntrack_helper *helper;
|
||||
struct va_format vaf;
|
||||
va_list args;
|
||||
|
||||
|
|
@ -331,14 +331,17 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
|
|||
vaf.fmt = fmt;
|
||||
vaf.va = &args;
|
||||
|
||||
/* Called from the helper function, this call never fails */
|
||||
help = nfct_help(ct);
|
||||
if (help) {
|
||||
const struct nf_conntrack_helper *helper;
|
||||
|
||||
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||
helper = rcu_dereference(help->helper);
|
||||
helper = rcu_dereference(help->helper);
|
||||
if (helper)
|
||||
helper_name = helper->name;
|
||||
}
|
||||
|
||||
nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
|
||||
"nf_ct_%s: dropping packet: %pV ", helper->name, &vaf);
|
||||
"helper %s dropping packet: %pV ", helper_name, &vaf);
|
||||
|
||||
va_end(args);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue