[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: IPF4.1.13 + Pfil 2.1.8 crash on Solaris 8
From: Darren Reed <darrenr () reed ! wattle ! id ! au>
Date: 2006-06-08 18:58:14
Message-ID: 200606081858.k58IwEOC018081 () firewall ! reed ! wattle ! id ! au
[Download RAW message or body]
[ Charset ISO-8859-1 unsupported, converting... ]
> IPFilter crashed on Solaris 8 during a stress test.
>
> I found the reason is due to a NULL pointer dereference in
> static void nat_delete(nat, logtype)
>
> when calling
>
> fr_deletequeueentry(&nat->nat_tqe);
>
> It appeared *nat->nat_tqe is NULL at that time as shown with MDB.
..
> One possible fix would be check if nat->nat_tqe is not NULL as
>
> if (nat->nat_tqe)
> fr_deletequeueentry(&nat->nat_tqe);
>
> I have a question, what can cause nat->nat_tqe = NULL but the rest of
> nat entry is valid?
I think what has happened here is that an attempt to remove the NAT
session has ben made (expire/flush) while a reference to it is still
held somewhere else by IPFilter. When that other part of IPFilter is
done with the NAT session, it calls nat_deref() and then we go "POP".
So yes, the fix (above) is correct.
Darren
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic