| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Feb 2010 12:15:38 +0100 From: Patrick McHardy <kaber@...sh.net> To: Pablo Neira Ayuso <pablo@...filter.org> CC: Ramblewski David <David.Ramblewski@...sorigin.com>, Eric Dumazet <eric.dumazet@...il.com>, "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, netdev <netdev@...r.kernel.org> Subject: Re: kernel stack trace using conntrack Pablo Neira Ayuso wrote: > Patrick McHardy wrote: >> Ramblewski David wrote: >>> Hi Eric, >>> >>> The conntrack patch works successfully. >>> >>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>>>> index 0ffe689..d2657aa 100644 >>>>> --- a/net/netfilter/nf_conntrack_netlink.c >>>>> +++ b/net/netfilter/nf_conntrack_netlink.c >>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>>>> d = ct->status ^ status; >>>>> >>>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>>>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>>>> /* unchangeable */ >>>>> return -EBUSY; >>>> I think that we should explicitly report if the user unsets >>>> IPS_CONFIRMED. Please, don't change this. >>>> >>>> Apart from that, the patch seems fine to me. Thanks! >>> Problem is we now (I mean after my patch) enter >>> ctnetlink_change_status() with ct->status being null (or at least, >>> IPS_CONFIRMED not set) >> Pablo, please let me know whether you want me to apply this. > > ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that > are confirmed (in case of a helper update for an existing conntrack). > That would also trigger the assertion. If we want to support helper > assignation via ctnetlink for existing conntracks, we will need to add > locking to the conntrack extension infrastructure to avoid races. > > I don't see a clear solution for this yet. I see, this is indeed a problem. Since the helper is known at the first event, we could restrict this to only allow manual assignment for newly created conntracks. Most helpers probably can't properly cope with connections not seen from the beginning anyways. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists