[patch 05/20] nfnetlink_log: fix use after free

From: Greg KH
Date: Sat Mar 10 2007 - 01:19:28 EST

Next message: Greg KH: "[patch 03/20] tcp conntrack: accept SYN|URG as valid"
Previous message: Greg KH: "[patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs"
In reply to: Greg KH: "[patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs"
Next in thread: Greg KH: "[patch 03/20] tcp conntrack: accept SYN|URG as valid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Patrick McHardy <kaber@xxxxxxxxx>

[NETFILTER]: nfnetlink_log: fix use after free

Paranoia: instance_put() might have freed the inst pointer when we
spin_unlock_bh().

Signed-off-by: Michal Miroslaw <mirq-linux@xxxxxxxxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
net/netfilter/nfnetlink_log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long d
if (timer_pending(&inst->timer)) /* is it always true or false here? */
del_timer(&inst->timer);
__nfulnl_send(inst);
- instance_put(inst);
spin_unlock_bh(&inst->lock);
+ instance_put(inst);
}

/* This is an inline function, we don't really care about a long

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 03/20] tcp conntrack: accept SYN|URG as valid"
Previous message: Greg KH: "[patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs"
In reply to: Greg KH: "[patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs"
Next in thread: Greg KH: "[patch 03/20] tcp conntrack: accept SYN|URG as valid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]