| From stable-bounces@linux.kernel.org Mon Jun 19 10:18:30 2006 |
| Date: Mon, 19 Jun 2006 19:14:21 +0200 |
| From: Patrick McHardy <kaber@trash.net> |
| To: "David S. Miller" <davem@davemloft.net> |
| Cc: security@kernel.org, stable@kernel.org |
| Subject: [NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085) |
| |
| Fix endless loop in the SCTP match similar to those already fixed in the |
| SCTP conntrack helper (was CVE-2006-1527). |
| |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| --- |
| |
| net/netfilter/xt_sctp.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- linux-2.6.17.orig/net/netfilter/xt_sctp.c |
| +++ linux-2.6.17/net/netfilter/xt_sctp.c |
| @@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb, |
| |
| do { |
| sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); |
| - if (sch == NULL) { |
| + if (sch == NULL || sch->length == 0) { |
| duprintf("Dropping invalid SCTP packet.\n"); |
| *hotdrop = 1; |
| return 0; |