Maciej Żenczykowski <zenczykow...@gmail.com> wrote:
> From: Maciej Żenczykowski <m...@google.com>
>
> Cc: Cong Wang <xiyou.wangc...@gmail.com>
> Cc: Eric Dumazet <eduma...@google.com>
> Cc: Pablo Neira Ayuso <pa...@netfilter.org>
> Signed-off-by: Maciej Żenczykowski <m...@google.com>
> ---
> net/netfilter/nf_conntrack_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index 0c63120b2db2..35459d04a050 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1679,7 +1679,8 @@ nf_conntrack_in(struct sk_buff *skb, const struct
> nf_hook_state *state)
> if ((tmpl && !nf_ct_is_template(tmpl)) ||
> ctinfo == IP_CT_UNTRACKED) {
> NF_CT_STAT_INC_ATOMIC(state->net, ignore);
> - return NF_ACCEPT;
> + ret = NF_ACCEPT;
This looks wrong.
> + goto out;
This puts tmpl, causing underflow of skb->nfct.
When we enter nf_conntrack_in and this branch, then 'tmpl'
is already assigned to skb->nfct, it will be put when skb
is free'd.
nf_ct_get() doesn't increment the refcnt.
tmpl only needs to be put in case of ...
> }
> skb->_nfct = 0;
...this.
