Commit 5c8ec910 authored by Patrick McHardy's avatar Patrick McHardy

netfilter: nf_conntrack: fix confirmation race condition

New connection tracking entries are inserted into the hash before they
are fully set up, namely the CONFIRMED bit is not set and the timer not
started yet. This can theoretically lead to a race with timer, which
would set the timeout value to a relative value, most likely already in
the past.

Perform hash insertion as the final step to fix this.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 8cc20198
...@@ -425,7 +425,6 @@ __nf_conntrack_confirm(struct sk_buff *skb) ...@@ -425,7 +425,6 @@ __nf_conntrack_confirm(struct sk_buff *skb)
/* Remove from unconfirmed list */ /* Remove from unconfirmed list */
hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
__nf_conntrack_hash_insert(ct, hash, repl_hash);
/* Timer relative to confirmation time, not original /* Timer relative to confirmation time, not original
setting time, otherwise we'd get timer wrap in setting time, otherwise we'd get timer wrap in
weird delay cases. */ weird delay cases. */
...@@ -433,8 +432,16 @@ __nf_conntrack_confirm(struct sk_buff *skb) ...@@ -433,8 +432,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
add_timer(&ct->timeout); add_timer(&ct->timeout);
atomic_inc(&ct->ct_general.use); atomic_inc(&ct->ct_general.use);
set_bit(IPS_CONFIRMED_BIT, &ct->status); set_bit(IPS_CONFIRMED_BIT, &ct->status);
/* Since the lookup is lockless, hash insertion must be done after
* starting the timer and setting the CONFIRMED bit. The RCU barriers
* guarantee that no other CPU can find the conntrack before the above
* stores are visible.
*/
__nf_conntrack_hash_insert(ct, hash, repl_hash);
NF_CT_STAT_INC(net, insert); NF_CT_STAT_INC(net, insert);
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
help = nfct_help(ct); help = nfct_help(ct);
if (help && help->helper) if (help && help->helper)
nf_conntrack_event_cache(IPCT_HELPER, ct); nf_conntrack_event_cache(IPCT_HELPER, ct);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment