]> err.no Git - linux-2.6/blobdiff - net/ipv4/netfilter/ip_conntrack_proto_tcp.c
projects / linux-2.6 / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[NETFILTER]: Missing unlock in TCP connection tracking error path
[linux-2.6] / net / ipv4 / netfilter / ip_conntrack_proto_tcp.c
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 2b87c1974be605d5bdb1ee769188d7e03fb2ddc8..1985abc59d2497f13c453750277d71da0bf73946 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -36,7 +36,6 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-#include <linux/netfilter_ipv4/lockhelp.h>
 
 #if 0
 #define DEBUGP printk
@@ -46,7 +45,7 @@
 #endif
 
 /* Protects conntrack->proto.tcp */
-static DECLARE_RWLOCK(tcp_lock);
+static DEFINE_RWLOCK(tcp_lock);
 
 /* "Be conservative in what you do, 
     be liberal in what you accept from others." 
@@ -330,13 +329,31 @@ static int tcp_print_conntrack(struct seq_file *s,
 {
        enum tcp_conntrack state;
 
-       READ_LOCK(&tcp_lock);
+       read_lock_bh(&tcp_lock);
        state = conntrack->proto.tcp.state;
-       READ_UNLOCK(&tcp_lock);
+       read_unlock_bh(&tcp_lock);
 
        return seq_printf(s, "%s ", tcp_conntrack_names[state]);
 }
 
+#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+    defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
+static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa,
+                        const struct ip_conntrack *ct)
+{
+       read_lock_bh(&tcp_lock);
+       NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
+               &ct->proto.tcp.state);
+       read_unlock_bh(&tcp_lock);
+
+       return 0;
+
+nfattr_failure:
+       read_unlock_bh(&tcp_lock);
+       return -1;
+}
+#endif
+
 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
 {
        if (tcph->rst) return TCP_RST_SET;
@@ -700,7 +717,7 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                res = 1;
        } else {
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL,
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                        "ip_ct_tcp: %s ",
                        before(seq, sender->td_maxend + 1) ?
                        after(end, sender->td_end - receiver->td_maxwin - 1) ?
@@ -738,14 +755,14 @@ void ip_conntrack_tcp_update(struct sk_buff *skb,
 
        end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, iph, tcph);
        
-       WRITE_LOCK(&tcp_lock);
+       write_lock_bh(&tcp_lock);
        /*
         * We have to worry for the ack in the reply packet only...
         */
        if (after(end, conntrack->proto.tcp.seen[dir].td_end))
                conntrack->proto.tcp.seen[dir].td_end = end;
        conntrack->proto.tcp.last_end = end;
-       WRITE_UNLOCK(&tcp_lock);
+       write_unlock_bh(&tcp_lock);
        DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
               "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
                sender->td_end, sender->td_maxend, sender->td_maxwin,
@@ -799,7 +816,7 @@ static int tcp_error(struct sk_buff *skb,
                                sizeof(_tcph), &_tcph);
        if (th == NULL) {
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                "ip_ct_tcp: short packet ");
                return -NF_ACCEPT;
        }
@@ -807,7 +824,7 @@ static int tcp_error(struct sk_buff *skb,
        /* Not whole TCP header or malformed packet */
        if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                "ip_ct_tcp: truncated/malformed packet ");
                return -NF_ACCEPT;
        }
@@ -819,11 +836,12 @@ static int tcp_error(struct sk_buff *skb,
         */
        /* FIXME: Source route IP option packets --RR */
        if (hooknum == NF_IP_PRE_ROUTING
+           && skb->ip_summed != CHECKSUM_UNNECESSARY
            && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
                                 : skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: bad TCP checksum ");
                return -NF_ACCEPT;
        }
@@ -832,7 +850,7 @@ static int tcp_error(struct sk_buff *skb,
        tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR));
        if (!tcp_valid_flags[tcpflags]) {
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: invalid TCP flag combination ");
                return -NF_ACCEPT;
        }
@@ -856,7 +874,7 @@ static int tcp_packet(struct ip_conntrack *conntrack,
                                sizeof(_tcph), &_tcph);
        BUG_ON(th == NULL);
        
-       WRITE_LOCK(&tcp_lock);
+       write_lock_bh(&tcp_lock);
        old_state = conntrack->proto.tcp.state;
        dir = CTINFO2DIR(ctinfo);
        index = get_conntrack_index(th);
@@ -878,10 +896,11 @@ static int tcp_packet(struct ip_conntrack *conntrack,
                         * that the client cannot but retransmit its SYN and 
                         * thus initiate a clean new session.
                         */
-                       WRITE_UNLOCK(&tcp_lock);
+                       write_unlock_bh(&tcp_lock);
                        if (LOG_INVALID(IPPROTO_TCP))
-                               nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
-                                         "ip_ct_tcp: killing out of sync session ");
+                               nf_log_packet(PF_INET, 0, skb, NULL, NULL,
+                                             NULL, "ip_ct_tcp: "
+                                             "killing out of sync session ");
                        if (del_timer(&conntrack->timeout))
                                conntrack->timeout.function((unsigned long)
                                                            conntrack);
@@ -893,9 +912,9 @@ static int tcp_packet(struct ip_conntrack *conntrack,
                conntrack->proto.tcp.last_end = 
                    segment_seq_plus_len(ntohl(th->seq), skb->len, iph, th);
                
-               WRITE_UNLOCK(&tcp_lock);
+               write_unlock_bh(&tcp_lock);
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: invalid packet ignored ");
                return NF_ACCEPT;
        case TCP_CONNTRACK_MAX:
@@ -903,9 +922,9 @@ static int tcp_packet(struct ip_conntrack *conntrack,
                DEBUGP("ip_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
                       dir, get_conntrack_index(th),
                       old_state);
-               WRITE_UNLOCK(&tcp_lock);
+               write_unlock_bh(&tcp_lock);
                if (LOG_INVALID(IPPROTO_TCP))
-                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, 
+                       nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: invalid state ");
                return -NF_ACCEPT;
        case TCP_CONNTRACK_SYN_SENT:
@@ -917,16 +936,16 @@ static int tcp_packet(struct ip_conntrack *conntrack,
                             conntrack->proto.tcp.seen[dir].td_end)) {  
                        /* Attempt to reopen a closed connection.
                        * Delete this connection and look up again. */
-                       WRITE_UNLOCK(&tcp_lock);
+                       write_unlock_bh(&tcp_lock);
                        if (del_timer(&conntrack->timeout))
                                conntrack->timeout.function((unsigned long)
                                                            conntrack);
                        return -NF_REPEAT;
                } else {
-                       WRITE_UNLOCK(&tcp_lock);
+                       write_unlock_bh(&tcp_lock);
                        if (LOG_INVALID(IPPROTO_TCP))
                                nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-                                             "ip_ct_tcp: invalid SYN");
+                                             NULL, "ip_ct_tcp: invalid SYN");
                        return -NF_ACCEPT;
                }
        case TCP_CONNTRACK_CLOSE:
@@ -948,7 +967,7 @@ static int tcp_packet(struct ip_conntrack *conntrack,
 
        if (!tcp_in_window(&conntrack->proto.tcp, dir, index, 
                           skb, iph, th)) {
-               WRITE_UNLOCK(&tcp_lock);
+               write_unlock_bh(&tcp_lock);
                return -NF_ACCEPT;
        }
     in_window:
@@ -971,7 +990,11 @@ static int tcp_packet(struct ip_conntrack *conntrack,
        timeout = conntrack->proto.tcp.retrans >= ip_ct_tcp_max_retrans
                  && *tcp_timeouts[new_state] > ip_ct_tcp_timeout_max_retrans
                  ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
-       WRITE_UNLOCK(&tcp_lock);
+       write_unlock_bh(&tcp_lock);
+
+       ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
+       if (new_state != old_state)
+               ip_conntrack_event_cache(IPCT_PROTOINFO, skb);
 
        if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) {
                /* If only reply is a RST, we can consider ourselves not to
@@ -1096,4 +1119,10 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
        .packet                 = tcp_packet,
        .new                    = tcp_new,
        .error                  = tcp_error,
+#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
+    defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
+       .to_nfattr              = tcp_to_nfattr,
+       .tuple_to_nfattr        = ip_ct_port_tuple_to_nfattr,
+       .nfattr_to_tuple        = ip_ct_port_nfattr_to_tuple,
+#endif
 };
Linux 2.6 source tree