9c48e1ea8cf8800cc5e2d39ccbb8b5ff9704f8e9 - pub/scm/linux/kernel/git/kees/linux

commit	9c48e1ea8cf8800cc5e2d39ccbb8b5ff9704f8e9	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Fri Jun 30 05:33:12 2006 +0200
committer	Chris Wright <chrisw@sous-sol.org>	Fri Jun 30 10:37:31 2006 -0700
tree	aeb13575ceee98bb0dcf5f0ee521a7eebe6b32ae
parent	27162bf76c8e1d20f81ba53c356ca8681aa90461 [diff]

[PATCH] NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934]

When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash. Make sure at least a single chunk is present.

Problem noticed by George A. Theall <theall@tenablesecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

net/ipv4/netfilter/ip_conntrack_proto_sctp.c[diff]
net/netfilter/nf_conntrack_proto_sctp.c[diff]

2 files changed

tree: aeb13575ceee98bb0dcf5f0ee521a7eebe6b32ae

arch/
block/
crypto/
Documentation/
drivers/
fs/
include/
init/
ipc/
kernel/
lib/
mm/
net/
scripts/
security/
sound/
usr/
.gitignore
COPYING
CREDITS
Kbuild
MAINTAINERS
Makefile
README
REPORTING-BUGS