[NETFILTER]: Fix locking of ipt_helper.

diff --git a/net/ipv4/netfilter/ipt_helper.c b/net/ipv4/netfilter/ipt_helper.c
index 1f7efb91c5e8c95d1f8ecb311a4abf627e4f91c9..28ab46445e4a9dbc3ca98698964d8dda9f0659b7 100644 (file)
--- a/net/ipv4/netfilter/ipt_helper.c
+++ b/net/ipv4/netfilter/ipt_helper.c
@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_helper.h>
@@ -34,6 +35,7 @@ match(const struct sk_buff *skb,
        struct ip_conntrack_expect *exp;
        struct ip_conntrack *ct;
        enum ip_conntrack_info ctinfo;
+       int ret = 0;
        
        ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
        if (!ct) {
@@ -47,23 +49,27 @@ match(const struct sk_buff *skb,
        }
 
        exp = ct->master;
+       READ_LOCK(&ip_conntrack_lock);
        if (!exp->expectant) {
                DEBUGP("ipt_helper: expectation %p without expectant !?!\n", 
                        exp);
-               return 0;
+               goto out_unlock;
        }
 
        if (!exp->expectant->helper) {
                DEBUGP("ipt_helper: master ct %p has no helper\n", 
                        exp->expectant);
-               return 0;
+               goto out_unlock;
        }
 
        DEBUGP("master's name = %s , info->name = %s\n", 
                exp->expectant->helper->name, info->name);
 
-       return !strncmp(exp->expectant->helper->name, info->name, 
-                       strlen(exp->expectant->helper->name)) ^ info->invert;
+       ret = !strncmp(exp->expectant->helper->name, info->name, 
+                      strlen(exp->expectant->helper->name)) ^ info->invert;
+out_unlock:
+       READ_UNLOCK(&ip_conntrack_lock);
+       return ret;
 }
 
 static int check(const char *tablename,