]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 35e21a4)
netfilter: conntrack: call nf_ct_gre_keymap_destroy() if master helper is pptp
authorPablo Neira Ayuso <pablo@netfilter.org>
Thu, 4 Jun 2026 06:21:13 +0000 (08:21 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 5 Jun 2026 14:21:38 +0000 (16:21 +0200)
For GRE flows, validate that the ct master helper (if any) is pptp
before calling nf_ct_gre_keymap_destroy(), so the helper data area
can be accessed safely. Note that only the pptp helper provides a
.destroy callback.

Fixes: e56894356f60 ("netfilter: conntrack: remove l4proto destroy hook")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_conntrack_core.c patch | blob | blame | history

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 91255fd3b35d8490feab847851ad1ea8d3d2131e..4fb3a2d18631969b1cc235b85b52ccff5d2a92a8 100644 (file)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -562,9 +562,23 @@ static void destroy_gre_conntrack(struct nf_conn *ct)
 {
 #ifdef CONFIG_NF_CT_PROTO_GRE
        struct nf_conn *master = ct->master;
+       struct nf_conn_help *help;
+
+       if (!master)
+               return;
+
+       help = nfct_help(master);
+       if (help) {
+               struct nf_conntrack_helper *helper;
 
-       if (master)
-               nf_ct_gre_keymap_destroy(master);
+               rcu_read_lock();
+               helper = rcu_dereference(help->helper);
+               /* Only pptp helper has a destroy callback. */
+               if (helper && helper->destroy)
+                       nf_ct_gre_keymap_destroy(master);
+
+               rcu_read_unlock();
+       }
 #endif
 }
 
A mirror of Linus' kernel repository