Commit 9a8d198e authored by Harald Welte's avatar Harald Welte Committed by Hideaki Yoshifuji

[NETFILTER]: Don't assign new helper after NAT when there are already expectations present.

Tracked down by Raivis Bucis <raivis@mt.lv>

This patch fixes an oops while listing /proc/net/ip_conntrack.

When a helper sets up expectations based on the first packet (tftp),
NAT can still change the packet and cause conntrack to look for a new helper
based on the new tuple. When no helper is found, expectant->helper will be
NULL, which leads to an oops in print_expect().
 
Only assign a new helper in ip_conntrack_alter_reply() if there are no
expectations.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
parent b8138a9e
...@@ -1127,10 +1127,8 @@ int ip_conntrack_alter_reply(struct ip_conntrack *conntrack, ...@@ -1127,10 +1127,8 @@ int ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
DUMP_TUPLE(newreply); DUMP_TUPLE(newreply);
conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
if (!conntrack->master) if (!conntrack->master && list_empty(&conntrack->sibling_list))
conntrack->helper = LIST_FIND(&helpers, helper_cmp, conntrack->helper = ip_ct_find_helper(newreply);
struct ip_conntrack_helper *,
newreply);
WRITE_UNLOCK(&ip_conntrack_lock); WRITE_UNLOCK(&ip_conntrack_lock);
return 1; return 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment