netfilter: nf_ct_helper: disable automatic helper re-assignment of di…

…fferent type This patch modifies __nf_ct_try_assign_helper in a way that invalidates support for the following scenario: 1) attach the helper A for first time when the conntrack is created 2) attach new (different) helper B due to changes the reply tuple caused by NAT eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers loaded, which seems to be a quite unorthodox scenario. I can provide a more elaborated patch to support this scenario but explicit helper attachment provides a better solution for this since now the use can attach the helpers consistently, without relying on the automatic helper lookup magic. This patch fixes a possible out of bound zeroing of the conntrack helper extension if the helper B uses more memory for its private data than helper A. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mariux64 · Jun 18, 2012 · 32f5376 · 32f5376
1 parent fd7462d
commit 32f5376
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
@@ -229,7 +229,13 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
 			goto out;
 		}
 	} else {
-		memset(help->data, 0, helper->data_len);
+		/* We only allow helper re-assignment of the same sort since
+		 * we cannot reallocate the helper extension area.
+		 */
+		if (help->helper != helper) {
+			RCU_INIT_POINTER(help->helper, NULL);
+			goto out;
+		}
 	}
 
 	rcu_assign_pointer(help->helper, helper);