Re: [Linux-stable-mirror] [PATCH 4.4 28/78] netfilter: nfnl_cthelper: fix runtime expectation policy updates

On Fri, 2017-12-22 at 09:46 +0100, Greg Kroah-Hartman wrote:

4.4-stable review patch.  If anyone has any objections, please let me know.

---

From: Pablo Neira Ayuso pablo@netfilter.org

[ Upstream commit 2c422257550f123049552b39f7af6e3428a60f43 ]

We only allow runtime updates of expectation policies for timeout and maximum number of expectations, otherwise reject the update.

[...]

+static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],

• 			   struct nf_conntrack_helper *helper)
  

+{

• struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
• struct nf_conntrack_expect_policy *policy;
• int i, err;
• /* Check first that all policy attributes are well-formed, so we don't
• * leave things in inconsistent state on errors.
• */
• for (i = 0; i < helper->expect_class_max + 1; i++) {

• if (!tb[NFCTH_POLICY_SET + i])
  

• 	return -EINVAL;
  

• err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
  

• 				      &new_policy[i],
  

• 				      tb[NFCTH_POLICY_SET + i]);
  

• if (err < 0)
  

• 	return err;
  

• }
• /* Now we can safely update them. */
• for (i = 0; i < helper->expect_class_max + 1; i++) {

• policy = (struct nf_conntrack_expect_policy *)
  

• 		&helper->expect_policy[i];
  

• policy->max_expected = new_policy->max_expected;
  

• policy->timeout	= new_policy->timeout;
  

[...]

Shouldn't the RHS of these two assignments use new_policy[i]?

Ben.