There is a problem in kernel 2.4.5 with the newnat 0.91 patch. The kernel
crashes in the following scenario:
- A TCP connection creates an expectation to a UDP connection using
ip_conntrack_expect_related(). The expectation is inserted to the
sibling_list and to the expect_list.
- Once the expected connection becomes related, the expectation gets removed
from the expect_list.
- If the master connection is destroyed and the related connection is still
alive, the expected struct is not deleted.
- When the related connection is terminated, the master expectation is
destroyed using unexpect_related().
unexpect_related() is trying to delete the expectation from both the global
(expect_list) and the local (sibling_list) lists using list_del(). The
expectation is no longer in the expect_list and the sibling_list has been
destroyed along with the master ct - this causes list_del to crash as it
accesses illegal list pointers.
A possible solution could be:
In destroy_expectation(), the master connection should disconnect (re-write
their list head to point to themselves) all the expectations that will
remain alive after it vanishes from the sibling list, which will allow
list_del to be called (although unnecessary).
What do you think?
Tali.
crashes in the following scenario:
- A TCP connection creates an expectation to a UDP connection using
ip_conntrack_expect_related(). The expectation is inserted to the
sibling_list and to the expect_list.
- Once the expected connection becomes related, the expectation gets removed
from the expect_list.
- If the master connection is destroyed and the related connection is still
alive, the expected struct is not deleted.
- When the related connection is terminated, the master expectation is
destroyed using unexpect_related().
unexpect_related() is trying to delete the expectation from both the global
(expect_list) and the local (sibling_list) lists using list_del(). The
expectation is no longer in the expect_list and the sibling_list has been
destroyed along with the master ct - this causes list_del to crash as it
accesses illegal list pointers.
A possible solution could be:
In destroy_expectation(), the master connection should disconnect (re-write
their list head to point to themselves) all the expectations that will
remain alive after it vanishes from the sibling list, which will allow
list_del to be called (although unnecessary).
What do you think?
Tali.