aboutsummaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-05-19 14:23:52 -0700
committerDavid S. Miller <davem@davemloft.net>2007-05-19 14:23:52 -0700
commit5397e97d7533a03b28a7b8aeee648cbb36a8afc6 (patch)
tree178b2db127eec358138a8312280a36de51dcf91f /README
parentc92b3a2f1f11655ecf6774b745017a414241d07c (diff)
[NETFILTER]: nf_conntrack: fix use-after-free in helper destroy callback invocation
When the helper module is removed for a master connection that has a fulfilled expectation, but has already timed out and got removed from the hash tables, nf_conntrack_helper_unregister can't find the master connection to unset the helper, causing a use-after-free when the expected connection is destroyed and releases the last reference to the master. The helper destroy callback was introduced for the PPtP helper to clean up expectations and expected connections when the master connection times out, but doing this from destroy_conntrack only works for unfulfilled expectations since expected connections hold a reference to the master, preventing its destruction. Move the destroy callback to the timeout function, which fixes both problems. Reported/tested by Gabor Burjan <buga@buvoshetes.hu>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions