netfilter: synproxy: protect nf_ct_seqadj_init() with conntrack lock

nf_ct_seqadj_init() is called without holding the ct lock. This can race
with nf_ct_seq_adjust() when a connection is in CLOSE state due to an
RST or connection reopening. In addition for SYN_RECV state, concurrent
processing of packets can trigger nf_ct_seq_adjust() too. These
situations create a read/write data race.

As synproxy is the only user of nf_ct_seqadj_init() at the moment, fix
this by holding ct->lock inside nf_ct_seqadj_init() until all is done.

Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 7ab2b25b57bcc0dbfac92d757aacec90974b02c5..b7e99f34dfce86daef377b8939cb6f4bd28af38f 100644 (file)
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -17,12 +17,14 @@ int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
        if (off == 0)
                return 0;
 
+       spin_lock_bh(&ct->lock);
        set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
 
        seqadj = nfct_seqadj(ct);
        this_way = &seqadj->seq[dir];
        this_way->offset_before  = off;
        this_way->offset_after   = off;
+       spin_unlock_bh(&ct->lock);
        return 0;
 }
 EXPORT_SYMBOL_GPL(nf_ct_seqadj_init);