ip6t_SYNPROXY crashes kernel

ip6t_SYNPROXY crashes kernel

[Phil Sutter]

Hi,

When synproxy_send_server_ack() calls synproxy_send_tcp(), it passes
NULL as third parameter (struct nf_conntrack *nfct). And the first thing
synproxy_send_tcp() does, is dereference it:

| struct net *net = nf_ct_net((struct nf_conn *)nfct);

I could not find a commit leading to this breakage in the commit log,
which makes me doubt ip6t_SYNPROXY has ever worked at all.

If you need one, I have a reproducer at hand. (Though I would want to
strip it down a bit first.) Just let me know.

Cheers, Phil

Re: ip6t_SYNPROXY crashes kernel

[Patrick McHardy]

On 28.07, Phil Sutter wrote:
> Hi,
> 
> When synproxy_send_server_ack() calls synproxy_send_tcp(), it passes
> NULL as third parameter (struct nf_conntrack *nfct). And the first thing
> synproxy_send_tcp() does, is dereference it:
> 
> | struct net *net = nf_ct_net((struct nf_conn *)nfct);
> 
> I could not find a commit leading to this breakage in the commit log,
> which makes me doubt ip6t_SYNPROXY has ever worked at all.
> 
> If you need one, I have a reproducer at hand. (Though I would want to
> strip it down a bit first.) Just let me know.

Thanks, looks like I never tested this with netns enabled. Would you
care to provide a patch? An easy fix seems to be to pass the synproxy_net
struct to synproxy_send_tcp() and use nf_ct_net(snet->tmpl) instead.