[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IPF4.1.13 + Pfil 2.1.8 crash on Solaris 8
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2006-06-08 18:58:14
Message-ID: 200606081858.k58IwEOC018081 () firewall ! reed ! wattle ! id ! au
[Download RAW message or body]

[ Charset ISO-8859-1 unsupported, converting... ]
> IPFilter crashed on Solaris 8 during a stress test.
> 
> I found the reason is due to a NULL pointer dereference in
> static void nat_delete(nat, logtype)
> 
> when calling
> 
> fr_deletequeueentry(&nat->nat_tqe);
> 
> It appeared *nat->nat_tqe is NULL at that time as shown with MDB.
..
> One possible fix would be check if nat->nat_tqe is not NULL as
> 
> if (nat->nat_tqe)
>         fr_deletequeueentry(&nat->nat_tqe);
> 
> I have a question, what can cause nat->nat_tqe = NULL but the rest of
> nat entry is valid?

I think what has happened here is that an attempt to remove the NAT
session has ben made (expire/flush) while a reference to it is still
held somewhere else by IPFilter.  When that other part of IPFilter is
done with the NAT session, it calls nat_deref() and then we go "POP".

So yes, the fix (above) is correct.

Darren
[prev in list] [next in list] [prev in thread] [next in thread]