[NETFILTER]: Fix overlapping expectations in existing expectation code

Change kmem_cache_free() calls in ip_conntrack_expect_related() to ip_conntrack_expect_put(): they should be equivalent but allows a hack in next patch (caller can keep expect). More importantly, a previous expectation should only be refreshed and return EEXIST if it's owned by the same connection (nfsim found this bug). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: Fix overlapping expectations in existing expectation code
Change kmem_cache_free() calls in ip_conntrack_expect_related() to ip_conntrack_expect_put(): they should be equivalent but allows a hack in next patch (caller can keep expect). More importantly, a previous expectation should only be refreshed and return EEXIST if it's owned by the same connection (nfsim found this bug). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
13b9f4df · Rusty Russell · David S. Miller · 85ef7720 · 13b9f4df
Commit 13b9f4df authored Jan 16, 2005 by Rusty Russell Committed by David S. Miller Jan 16, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 5 deletions

net/ipv4/netfilter/ip_conntrack_core.c net/ipv4/netfilter/ip_conntrack_core.c +4 -5

No files found.
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -912,7 +912,7 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
 	old = LIST_FIND(&ip_conntrack_expect_list, resent_expect,
 		        struct ip_conntrack_expect *, &expect->tuple, 
 			&expect->mask);
-	if (old) {
+	if (old && old->expectant == related_to) {
 		/* Helper private data may contain offsets but no pointers
 		   pointing into the payload - otherwise we should have to copy 
 		   the data filled out by the helper over the old one */
@@ -929,8 +929,7 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
 		}

 		WRITE_UNLOCK(&ip_conntrack_lock);
-		/* This expectation is not inserted so no need to lock */
-		kmem_cache_free(ip_conntrack_expect_cachep, expect);
+		ip_conntrack_expect_put(expect);
 		return -EEXIST;

 	} else if (related_to->helper->max_expected && 
@@ -948,7 +947,7 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
 				       related_to->helper->name,
 		    	       	       NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
 		    	       	       NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
-			kmem_cache_free(ip_conntrack_expect_cachep, expect);
+			ip_conntrack_expect_put(expect);	
 			return -EPERM;
 		}
 		DEBUGP("ip_conntrack: max number of expected "
@@ -982,7 +981,7 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
 		WRITE_UNLOCK(&ip_conntrack_lock);
 		DEBUGP("expect_related: busy!\n");

-		kmem_cache_free(ip_conntrack_expect_cachep, expect);
+		ip_conntrack_expect_put(expect);	
 		return -EBUSY;
 	}