]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)
authorPatrick McHardy <kaber@trash.net>
Fri, 22 Jul 2005 19:50:29 +0000 (12:50 -0700)
committerDavid S. Miller <davem@davemloft.net>
Fri, 22 Jul 2005 19:50:29 +0000 (12:50 -0700)
The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/ip_nat_proto_tcp.c
net/ipv4/netfilter/ip_nat_proto_udp.c

index a91cfceff272fd1eeeab2a2f809443b655af5150..a98e36d2b3c627d66cec58ece9d2b173c98de71d 100644 (file)
@@ -40,7 +40,8 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
                 enum ip_nat_manip_type maniptype,
                 const struct ip_conntrack *conntrack)
 {
-       static u_int16_t port, *portptr;
+       static u_int16_t port;
+       u_int16_t *portptr;
        unsigned int range_size, min, i;
 
        if (maniptype == IP_NAT_MANIP_SRC)
index c669e3b5f5d0d65cbea03b75b4d7938485da6fe5..9f66e56256644e0756e82f73e70a412883de23b1 100644 (file)
@@ -41,7 +41,8 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple,
                 enum ip_nat_manip_type maniptype,
                 const struct ip_conntrack *conntrack)
 {
-       static u_int16_t port, *portptr;
+       static u_int16_t port;
+       u_int16_t *portptr;
        unsigned int range_size, min, i;
 
        if (maniptype == IP_NAT_MANIP_SRC)