David S. Miller wrote:
On Sat, 21 Aug 2004 17:10:20 +0200
Patrick McHardy <kaber@xxxxxxxxx> wrote:
The problem is that conntrack unload can cause packets without a
dst_entry to appear in ip_local_deliver, which is already after
the call to dst_input.
How can it call ip_local_deliver() without a valid skb->dst?
That function is only invoked via skb->dst->input(skb) which
by implication means that skb->dst is non-NULL.
Actually there is a call via ip_mr_input() but that code also
has a precondition that skb->dst is non-NULL too. I say this
due to the unchecked skb->dst accesses it makes early on.
Please explain. I don't question that it happens, just show
me how :-)
The first fragment (offset=0) is given to ip_defrag by conntrack
at PRE_ROUTING, without a dst_entry. Then conntrack is unloaded.
Further fragments are now queued in ip_local_deliver. When the
packet is reassembled and "continues" its way from
ip_local_deliver, it doesn't have a dst_entry.
The opposite way is of course also possible, packets queued in
ip_local_deliver can jump and appear in the PRE_ROUTING hook
when conntrack is loaded, but that way doesn't seem to cause
problems.
Regards
Patrick
|