diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-05-02 23:23:07 +0200 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-02 17:26:39 -0700 |
| commit | e17df688f7064dae1417ce425dd1e4b71d24d63b (patch) | |
| tree | bc631aa05f4fde009ff260fca51005eb9077a203 /net/netfilter | |
| parent | ebf34c9b6fcd22338ef764b039b3ac55ed0e297b (diff) | |
| download | kernel_samsung_espresso10-e17df688f7064dae1417ce425dd1e4b71d24d63b.zip kernel_samsung_espresso10-e17df688f7064dae1417ce425dd1e4b71d24d63b.tar.gz kernel_samsung_espresso10-e17df688f7064dae1417ce425dd1e4b71d24d63b.tar.bz2 | |
[NETFILTER] SCTP conntrack: fix infinite loop
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Based on patch from Ingo Molnar <mingo@elte.hu>
CVE-2006-1527
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 9cccc32..0c6da49 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_conn *conntrack, flag = 1; } - /* Cookie Ack/Echo chunks not the first OR - Init / Init Ack / Shutdown compl chunks not the only chunks */ - if ((sch->type == SCTP_CID_COOKIE_ACK + /* + * Cookie Ack/Echo chunks not the first OR + * Init / Init Ack / Shutdown compl chunks not the only chunks + * OR zero-length. + */ + if (((sch->type == SCTP_CID_COOKIE_ACK || sch->type == SCTP_CID_COOKIE_ECHO || flag) - && count !=0 ) { + && count !=0) || !sch->length) { DEBUGP("Basic checks failed\n"); return 1; } |