Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2676

kernel-2.6.18-238.el5.src.rpm

From: Thomas Graf <tgraf@redhat.com>
Date: Wed, 6 Aug 2008 01:04:01 +0200
Subject: [net] h323: Fix panic in conntrack module
Message-id: 20080805230401.GA1741@plip.localdomain
O-Subject: [PATCH RHEL5.3] BZ#433661: Fix panic in h323 conntrack module
Bugzilla: 433661
RH-Acked-by: David S. Miller <davem@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>

This patch includes several fixes to the h323 conntrack helper:
 - Use of ip_ct_refresh() instead of ip_ct_refresh_acct() fixing
   a NULL pointer deref.
 - Correctly use write_lock_bh() for conntrack lock
 - Give back conntrack expect entry. Fixes a memory leak.

Please ACK

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 9a39e29..0bc0d3f 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1417,10 +1417,10 @@ static int process_rcf(struct sk_buff **pskb, struct ip_conntrack *ct,
 		DEBUGP
 		    ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
 		     info->timeout);
-		ip_ct_refresh_acct(ct, ctinfo, NULL, info->timeout * HZ);
+		ip_ct_refresh(ct, *pskb, info->timeout * HZ);
 
 		/* Set expect timeout */
-		read_lock_bh(&ip_conntrack_lock);
+		write_lock_bh(&ip_conntrack_lock);
 		exp = find_expect(ct, ct->tuplehash[dir].tuple.dst.ip,
 				  info->sig_port[!dir]);
 		if (exp) {
@@ -1433,8 +1433,9 @@ static int process_rcf(struct sk_buff **pskb, struct ip_conntrack *ct,
 			       ntohs(exp->tuple.dst.u.tcp.port),
 			       info->timeout);
 			set_expect_timeout(exp, info->timeout);
+			ip_conntrack_expect_put(exp);
 		}
-		read_unlock_bh(&ip_conntrack_lock);
+		write_unlock_bh(&ip_conntrack_lock);
 	}
 
 	return 0;
@@ -1465,7 +1466,7 @@ static int process_urq(struct sk_buff **pskb, struct ip_conntrack *ct,
 	info->sig_port[!dir] = 0;
 
 	/* Give it 30 seconds for UCF or URJ */
-	ip_ct_refresh_acct(ct, ctinfo, NULL, 30 * HZ);
+	ip_ct_refresh(ct, *pskb, 30 * HZ);
 
 	return 0;
 }