From 27d8c2075054c4e83f3630e2c56d261b66ed9a93 Mon Sep 17 00:00:00 2001 From: Evgenii Bendyak Date: Tue, 30 Apr 2024 16:51:53 +0300 Subject: fix bug in race condition of calling nflog_open from different threads at same time This patch addresses a bug that occurs when the nflog_open function is called concurrently from different threads within an application. The function nflog_open internally invokes nflog_open_nfnl. Within this function, a static global variable pkt_cb (static struct nfnl_callback pkt_cb) is used. This variable is assigned a pointer to a newly created structure (pkt_cb.data = h;) and is passed to nfnl_callback_register. The issue arises with concurrent execution of pkt_cb.data = h;, as only one of the simultaneously created nflog_handle structures is retained due to the callback function. Subsequently, the callback function __nflog_rcv_pkt is invoked for all the nflog_open structures, but only references one of them. Consequently, the callbacks registered by the end-user of the library through nflog_callback_register fail to trigger in sessions where the incorrect reference was recorded. This patch corrects this behavior by creating the structure locally on the stack for each call to nflog_open_nfnl. Since the nfnl_callback_register function simply copies the data into its internal structures, there is no need to retain pkt_cb beyond this point. Signed-off-by: Evgenii Bendyak Signed-off-by: Phil Sutter --- src/libnetfilter_log.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/libnetfilter_log.c b/src/libnetfilter_log.c index cb09384..339c961 100644 --- a/src/libnetfilter_log.c +++ b/src/libnetfilter_log.c @@ -161,11 +161,6 @@ static int __nflog_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[], return gh->cb(gh, nfmsg, &nfldata, gh->data); } -static struct nfnl_callback pkt_cb = { - .call = &__nflog_rcv_pkt, - .attr_count = NFULA_MAX, -}; - /* public interface */ struct nfnl_handle *nflog_nfnlh(struct nflog_handle *h) @@ -255,6 +250,10 @@ struct nflog_handle *nflog_open_nfnl(struct nfnl_handle *nfnlh) { struct nflog_handle *h; int err; + struct nfnl_callback pkt_cb = { + .call = &__nflog_rcv_pkt, + .attr_count = NFULA_MAX, + }; h = calloc(1, sizeof(*h)); if (!h) -- cgit v1.2.3