Commits
Alexey Dobriyan authored 72e37424b9f
NETFILTER: check for valid VE conntrack structure in __nf_ct_l3proto_find() If VE is started with permissions to use iptables but not conntracking, ->nf_conntrack pointer will be NULL. However it will be NULL dereference during the following codepath: net/netfilter/xt_state.c:check() nf_ct_l3proto_try_module_get nf_ct_l3proto_find_get __nf_ct_l3proto_find ve_nf_ct_l3protos[l3proto] == dereference Steps to reproduce: iptables -A OUTPUT -m state --state NEW -j ACCEPT