NETFILTER: ctnetlink: check for status attribute existence on conntrack creation

Check that status flags are available in the netlink message received to create a new conntrack. Fixes a crash in ctnetlink_create_conntrack when the CTA_STATUS attribute is not present. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2007-03-24 21:18:36 +0100
committer: Adrian Bunk <bunk@stusta.de> 2007-03-24 21:18:36 +0100
commit: 9003d12b0a6ae9b19e5f60296c2dec37ff84f73b (patch)
tree: 58a8f7fff5491bddd92042129f6d5b9a4aece2f6 /net/ipv4
parent: 1bed543f180803523b5baa5b10e9432ea2de5afb (diff)
download: lwn-9003d12b0a6ae9b19e5f60296c2dec37ff84f73b.tar.gz
lwn-9003d12b0a6ae9b19e5f60296c2dec37ff84f73b.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index d4e6d0a3bf20..f558a014d68b 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -1021,9 +1021,11 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
 	ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
 	ct->status |= IPS_CONFIRMED;
 
-	err = ctnetlink_change_status(ct, cda);
-	if (err < 0)
-		goto err;
+	if (cda[CTA_STATUS-1]) {
+		err = ctnetlink_change_status(ct, cda);
+		if (err < 0)
+			goto err;
+	}
 
 	if (cda[CTA_PROTOINFO-1]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2007-03-24 21:18:36 +0100
committer	Adrian Bunk <bunk@stusta.de>	2007-03-24 21:18:36 +0100
commit	9003d12b0a6ae9b19e5f60296c2dec37ff84f73b (patch)
tree	58a8f7fff5491bddd92042129f6d5b9a4aece2f6 /net/ipv4
parent	1bed543f180803523b5baa5b10e9432ea2de5afb (diff)
download	lwn-9003d12b0a6ae9b19e5f60296c2dec37ff84f73b.tar.gz lwn-9003d12b0a6ae9b19e5f60296c2dec37ff84f73b.zip