Commit 828c56da authored by Martin Josefsson's avatar Martin Josefsson Committed by David S. Miller

[NETFILTER]: Fix modify-after-free bug in ip_conntrack.

parent d1ebfcd6
...@@ -273,6 +273,8 @@ static void remove_expectations(struct ip_conntrack *ct) ...@@ -273,6 +273,8 @@ static void remove_expectations(struct ip_conntrack *ct)
* the un-established ones only */ * the un-established ones only */
if (exp->sibling) { if (exp->sibling) {
DEBUGP("remove_expectations: skipping established %p of %p\n", exp->sibling, ct); DEBUGP("remove_expectations: skipping established %p of %p\n", exp->sibling, ct);
/* Indicate that this expectations parent is dead */
exp->expectant = NULL;
continue; continue;
} }
...@@ -324,6 +326,9 @@ destroy_conntrack(struct nf_conntrack *nfct) ...@@ -324,6 +326,9 @@ destroy_conntrack(struct nf_conntrack *nfct)
ip_conntrack_destroyed(ct); ip_conntrack_destroyed(ct);
WRITE_LOCK(&ip_conntrack_lock); WRITE_LOCK(&ip_conntrack_lock);
/* Delete us from our own list to prevent corruption later */
list_del(&ct->sibling_list);
/* Delete our master expectation */ /* Delete our master expectation */
if (ct->master) { if (ct->master) {
/* can't call __unexpect_related here, /* can't call __unexpect_related here,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment