Commit d04b4f8c authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4c1217de
...@@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple, ...@@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
enum ip_nat_manip_type maniptype, enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack) const struct ip_conntrack *conntrack)
{ {
static u_int16_t port, *portptr; static u_int16_t port;
u_int16_t *portptr;
unsigned int range_size, min, i; unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC) if (maniptype == IP_NAT_MANIP_SRC)
......
...@@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple, ...@@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple,
enum ip_nat_manip_type maniptype, enum ip_nat_manip_type maniptype,
const struct ip_conntrack *conntrack) const struct ip_conntrack *conntrack)
{ {
static u_int16_t port, *portptr; static u_int16_t port;
u_int16_t *portptr;
unsigned int range_size, min, i; unsigned int range_size, min, i;
if (maniptype == IP_NAT_MANIP_SRC) if (maniptype == IP_NAT_MANIP_SRC)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment