[ovs-dev] [PATCH v2] conntrack: Fix ct-clean thread crash bug

huanglili huanglili.huang at huawei.com
Fri Aug 25 06:25:23 UTC 2017


From: Lili Huang <huanglili.huang at huawei.com>

Conn should be removed from the list before freed.

This crash will be triggered when a established flow do ct(nat)
again, like
"ip,actions=ct(table=1)
 table=1,in_port=1,ip,actions=ct(commit,nat(dst=5.5.5.5)),2
 table=1,in_port=2,ip,ct_state=+est,actions=1
 table=1,in_port=1,ip,ct_state=+est,actions=2"

Signed-off-by: Lili Huang <huanglili.huang at huawei.com>
---
 lib/conntrack.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 1c0e023..4918aaf 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -805,6 +805,7 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt,
      * against with firewall rules or a separate firewall.
      * Also using zone partitioning can limit DoS impact. */
 nat_res_exhaustion:
+    ovs_list_remove(&nc->exp_node);
     delete_conn(nc);
     /* conn_for_un_nat_copy is a local variable in process_one; this
      * memset() serves to document that conn_for_un_nat_copy is from
-- 
1.8.3.1




More information about the dev mailing list