On Sat, Sep 03, 2016 at 07:51:50PM +0800, f...@ikuai8.com wrote: > From: Gao Feng <f...@ikuai8.com> > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj, while other functions perform the > sanity check. > > So the system would be panic when nfct_seqadj_ext_add failed. > > Signed-off-by: Gao Feng <f...@ikuai8.com> > --- > v3: Remove the warning log when seqadj is null; > v2: Remove the unnessary seqadj check in nf_ct_seq_adjust > v1: Initial patch > > net/netfilter/nf_conntrack_seqadj.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_conntrack_seqadj.c > b/net/netfilter/nf_conntrack_seqadj.c > index dff0f0c..7f8d814 100644 > --- a/net/netfilter/nf_conntrack_seqadj.c > +++ b/net/netfilter/nf_conntrack_seqadj.c > @@ -16,9 +16,12 @@ int nf_ct_seqadj_init(struct nf_conn *ct, enum > ip_conntrack_info ctinfo, > if (off == 0) > return 0; > > + seqadj = nfct_seqadj(ct); > + if (unlikely(!seqadj)) > + return 0;
I think we should handle this from init_conntrack() by simply dropping the packet as we do under similar circunstances (too stress to deal).
