diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-09-21 14:00:50 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-09-21 14:00:50 +0200 |
commit | 666ceb1e2cd71f844f5794a556c46b114764bca6 (patch) | |
tree | e953df178085d1750becd4d0cdcf11885121d033 | |
parent | ce7c1553d7720188447d0ae7f7f80ce033b5a8d8 (diff) | |
download | conntrack-tools-666ceb1e2cd71f844f5794a556c46b114764bca6.tar.gz conntrack-tools-666ceb1e2cd71f844f5794a556c46b114764bca6.zip |
fix: remove node from tx_list when the state-entry is destroy
This patches fixes a race that triggers a read-after-free access
to the tx_list. The state-entry is destroyed but it is still in the
list. The fix removes the state-entry from the tx_list in the destroy
path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/sync-ftfw.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c index 5019d4e..4c1b536 100644 --- a/src/sync-ftfw.c +++ b/src/sync-ftfw.c @@ -70,12 +70,15 @@ static void cache_ftfw_del(struct us_conntrack *u, void *data) struct cache_ftfw *cn = data; /* this node is already out of the list */ - if (list_empty(&cn->rs_list)) - return; - - /* no need for list_del_init since the entry is destroyed */ - list_del(&cn->rs_list); - rs_list_len--; + if (!list_empty(&cn->rs_list)) { + /* no need for list_del_init since the entry is destroyed */ + list_del(&cn->rs_list); + rs_list_len--; + } + if (!list_empty(&cn->tx_list)) { + list_del(&cn->tx_list); + tx_list_len--; + } } static struct cache_extra cache_ftfw_extra = { |