mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-09 15:24:32 +08:00
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
commit6eef7a2b93
upstream. If nf_conntrack_init_start() fails (for example due to a register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() clean-up path frees the nf_ct_helper_hash map. When built with NF_CONNTRACK=y, further netfilter modules (e.g: netfilter_conntrack_ftp) can still be loaded and call nf_conntrack_helpers_register(), independently of whether nf_conntrack initialized correctly. This accesses the nf_ct_helper_hash dangling pointer and causes a uaf, possibly leading to random memory corruption. This patch guards nf_conntrack_helper_register() from accessing a freed or uninitialized nf_ct_helper_hash pointer and fixes possible uses-after-free when loading a conntrack module. Cc: stable@vger.kernel.org Fixes:12f7a50533
("netfilter: add user-space connection tracking helper infrastructure") Signed-off-by: Florent Revest <revest@chromium.org> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
2bd6f13734
commit
6f03ce2f1a
@ -405,6 +405,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
|
||||
BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
|
||||
BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
|
||||
|
||||
if (!nf_ct_helper_hash)
|
||||
return -ENOENT;
|
||||
|
||||
if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
|
||||
return -EINVAL;
|
||||
|
||||
@ -595,4 +598,5 @@ void nf_conntrack_helper_fini(void)
|
||||
{
|
||||
nf_ct_extend_unregister(&helper_extend);
|
||||
kvfree(nf_ct_helper_hash);
|
||||
nf_ct_helper_hash = NULL;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user