summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-09-21 14:00:50 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-09-21 14:00:50 +0200
commit666ceb1e2cd71f844f5794a556c46b114764bca6 (patch)
treee953df178085d1750becd4d0cdcf11885121d033
parentce7c1553d7720188447d0ae7f7f80ce033b5a8d8 (diff)
downloadconntrack-tools-666ceb1e2cd71f844f5794a556c46b114764bca6.tar.gz
conntrack-tools-666ceb1e2cd71f844f5794a556c46b114764bca6.zip
fix: remove node from tx_list when the state-entry is destroy
This patches fixes a race that triggers a read-after-free access to the tx_list. The state-entry is destroyed but it is still in the list. The fix removes the state-entry from the tx_list in the destroy path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/sync-ftfw.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c
index 5019d4e..4c1b536 100644
--- a/src/sync-ftfw.c
+++ b/src/sync-ftfw.c
@@ -70,12 +70,15 @@ static void cache_ftfw_del(struct us_conntrack *u, void *data)
struct cache_ftfw *cn = data;
/* this node is already out of the list */
- if (list_empty(&cn->rs_list))
- return;
-
- /* no need for list_del_init since the entry is destroyed */
- list_del(&cn->rs_list);
- rs_list_len--;
+ if (!list_empty(&cn->rs_list)) {
+ /* no need for list_del_init since the entry is destroyed */
+ list_del(&cn->rs_list);
+ rs_list_len--;
+ }
+ if (!list_empty(&cn->tx_list)) {
+ list_del(&cn->tx_list);
+ tx_list_len--;
+ }
}
static struct cache_extra cache_ftfw_extra = {