netfilter: nf_conntrack_sip: get helper before allocating expectation

process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.

Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.

Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index d24bfa9e823448fbbeb906896f666c7f9cdc512c..e69941f1a101610029ede78a3ed2aa190b6d205e 100644 (file)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1366,6 +1366,10 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
                goto store_cseq;
        }
 
+       helper = rcu_dereference(nfct_help(ct)->helper);
+       if (!helper)
+               return NF_DROP;
+
        exp = nf_ct_expect_alloc(ct);
        if (!exp) {
                nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1376,10 +1380,6 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
        if (sip_direct_signalling)
                saddr = &ct->tuplehash[!dir].tuple.src.u3;
 
-       helper = rcu_dereference(nfct_help(ct)->helper);
-       if (!helper)
-               return NF_DROP;
-
        nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
                          saddr, &daddr, proto, NULL, &port);
        exp->timeout.expires = sip_timeout * HZ;