From 666ceb1e2cd71f844f5794a556c46b114764bca6 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 21 Sep 2008 14:00:50 +0200
Subject: fix: remove node from tx_list when the state-entry is destroy

This patches fixes a race that triggers a read-after-free access
to the tx_list. The state-entry is destroyed but it is still in the
list. The fix removes the state-entry from the tx_list in the destroy
path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/sync-ftfw.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'src/sync-ftfw.c')

diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c
index 5019d4e..4c1b536 100644
--- a/src/sync-ftfw.c
+++ b/src/sync-ftfw.c
@@ -70,12 +70,15 @@ static void cache_ftfw_del(struct us_conntrack *u, void *data)
 	struct cache_ftfw *cn = data;
 
 	/* this node is already out of the list */
-	if (list_empty(&cn->rs_list))
-	    	return;
-
-	/* no need for list_del_init since the entry is destroyed */
-	list_del(&cn->rs_list);
-	rs_list_len--;
+	if (!list_empty(&cn->rs_list)) {
+		/* no need for list_del_init since the entry is destroyed */
+		list_del(&cn->rs_list);
+		rs_list_len--;
+	}
+	if (!list_empty(&cn->tx_list)) {
+		list_del(&cn->tx_list);
+		tx_list_len--;
+	}
 }
 
 static struct cache_extra cache_ftfw_extra = {
-- 
cgit v1.2.3