Re: Netfilter: kernel panic with REDIRECT target. (2.6.23 and 2.6.23.8)

Sun, 18 Nov 2007 11:55:56 -0800 

David wrote:

Ismail Dönmez wrote:

Sunday 18 November 2007 Tarihinde 21:00:12 yazmıştı:

I'm (very) far from being firewall configuration expert, but I'm seeing
a consistent kernel panic when the following rule is triggered.

    iptables -t nat -A PREROUTING -j REDIRECT -i eth2 -p udp --dport
5061 --to-ports 5060

(I'm trying to redirect an alternate port to a SIP server)

Am I just being very stupid, or is there something I'm not seeing here?

Also post the kernel panic log.

This is a bit difficult since the server is headless (normally). I can
try to obtain the panic via a temporary console, but it may have to wait
for a day or two.


Please try if this patch fixes the problem.

[NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage()

Reported by Chuck Ebbert as:

        https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14

This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.

Signed-off-by: Evgeniy Polyakov <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>

---
commit 7799652557d966e49512479f4d3b9079bbc01fff
tree c0895084e075bf53697a66816e6bfcbe28d3859d
parent a5a97263a9fd6a94f954d41ae3233ea65a90bd8a
author Evgeniy Polyakov <[EMAIL PROTECTED]> Thu, 15 Nov 2007 15:52:32 -0800
committer David S. Miller <[EMAIL PROTECTED]> Thu, 15 Nov 2007 15:52:32 -0800

 net/netfilter/nf_conntrack_extend.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_extend.c 
b/net/netfilter/nf_conntrack_extend.c
index a1a65a1..cf6ba66 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -109,7 +109,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id 
id, gfp_t gfp)
                        rcu_read_lock();
                        t = rcu_dereference(nf_ct_ext_types[i]);
                        if (t && t->move)
-                               t->move(ct, ct->ext + ct->ext->offset[id]);
+                               t->move(ct, ct->ext + ct->ext->offset[i]);
                        rcu_read_unlock();
                }
                kfree(ct->ext);

Reply via email to