conntrack: Fix conn_update_state_alg use after free.

When conn_update_state() returns true, conn has been freed, so skip calling handle_ftp_ctl() with this conn and instead follow code path for new connections. Fixes: bd5e81a ("Userspace Datapath: Add ALG infra and FTP.") Signed-off-by: Darrell Ball <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
blp · Jul 11, 2018 · 030958a · 030958a
1 parent 68fd925
commit 030958a
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/lib/conntrack.c b/lib/conntrack.c
@@ -1156,8 +1156,11 @@ conn_update_state_alg(struct conntrack *ct, struct dp_packet *pkt,
         } else {
             *create_new_conn = conn_update_state(ct, pkt, ctx, &conn, now,
                                                 bucket);
-            handle_ftp_ctl(ct, ctx, pkt, conn, now, CT_FTP_CTL_OTHER,
-                           !!nat_action_info);
+
+            if (*create_new_conn == false) {
+                handle_ftp_ctl(ct, ctx, pkt, conn, now, CT_FTP_CTL_OTHER,
+                               !!nat_action_info);
+            }
         }
         return true;
     }