rpms/kernel/F-8 linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch, NONE, 1.1 kernel.spec, 1.269, 1.270

Chuck Ebbert (cebbert) fedora-extras-commits at redhat.com
Mon Nov 19 20:16:20 UTC 2007 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26500

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch 
Log Message:
* Mon Nov 19 2007 Chuck Ebbert <cebbert at redhat.com>
- Fix oops in netfilter NAT module (#259501)


linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch:

--- NEW FILE linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7799652557d966e49512479f4d3b9079bbc01fff
Commit:     7799652557d966e49512479f4d3b9079bbc01fff
Parent:     a5a97263a9fd6a94f954d41ae3233ea65a90bd8a
Author:     Evgeniy Polyakov <johnpol at 2ka.mipt.ru>
AuthorDate: Thu Nov 15 15:52:32 2007 -0800
Committer:  David S. Miller <davem at davemloft.net>
CommitDate: Thu Nov 15 15:52:32 2007 -0800

    [NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()
    
    Reported by Chuck Ebbert as:
    
    	https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14
    
    This routine is called each time hash should be replaced, nf_conn has
    extension list which contains pointers to connection tracking users
    (like nat, which is right now the only such user), so when replace takes
    place it should copy own extensions. Loop above checks for own
    extension, but tries to move higer-layer one, which can lead to above
    oops.
    
    Signed-off-by: Evgeniy Polyakov <johnpol at 2ka.mipt.ru>
    Signed-off-by: David S. Miller <davem at davemloft.net>
---
 net/netfilter/nf_conntrack_extend.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index a1a65a1..cf6ba66 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 			rcu_read_lock();
 			t = rcu_dereference(nf_ct_ext_types[i]);
 			if (t && t->move)
-				t->move(ct, ct->ext + ct->ext->offset[id]);
+				t->move(ct, ct->ext + ct->ext->offset[i]);
 			rcu_read_unlock();
 		}
 		kfree(ct->ext);


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.269
retrieving revision 1.270
diff -u -r1.269 -r1.270
--- kernel.spec	19 Nov 2007 20:05:42 -0000	1.269
+++ kernel.spec	19 Nov 2007 20:15:45 -0000	1.270
@@ -644,6 +644,7 @@
 Patch426: linux-2.6-cifs-fix-bad-handling-of-EAGAIN.patch
 
 Patch430: linux-2.6-net-silence-noisy-printks.patch
+Patch431: linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch
 Patch440: linux-2.6-sha_alignment.patch
 Patch450: linux-2.6-input-kill-stupid-messages.patch
 Patch451: linux-2.6-input-alps-add-dell-vostro-1400.patch
@@ -1203,6 +1204,8 @@
 # Networking
 # Disable easy to trigger printk's.
 ApplyPatch linux-2.6-net-silence-noisy-printks.patch
+# fix oops in netfilter
+ApplyPatch linux-2.6-netfilter-fix-null-deref-nf_nat_move_storage.patch
 
 # Misc fixes
 # Fix SHA1 alignment problem on ia64
@@ -1965,6 +1968,9 @@
 
 %changelog
 * Mon Nov 19 2007 Chuck Ebbert <cebbert at redhat.com>
+- Fix oops in netfilter NAT module (#259501)
+
+* Mon Nov 19 2007 Chuck Ebbert <cebbert at redhat.com>
 - libata: fix resume on some systems
 - libata: fix pata_serverworks with some drive combinations

More information about the fedora-extras-commits mailing list