| From stable-bounces@linux.kernel.org Mon Jan 9 17:04:42 2006 |
| Message-ID: <43C30717.8030205@trash.net> |
| Date: Tue, 10 Jan 2006 02:00:07 +0100 |
| From: Patrick McHardy <kaber@trash.net> |
| To: stable@kernel.org |
| Cc: |
| Subject: [NETFILTER]: Fix crash in ip_nat_pptp (CVE-2006-0036) |
| |
| When an inbound PPTP_IN_CALL_REQUEST packet is received the |
| PPTP NAT helper uses a NULL pointer in pointer arithmentic to |
| calculate the offset in the packet which needs to be mangled |
| and corrupts random memory or crashes. |
| |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c |
| +++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c |
| @@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb, |
| break; |
| case PPTP_IN_CALL_REQUEST: |
| /* only need to nat in case PAC is behind NAT box */ |
| - break; |
| + return NF_ACCEPT; |
| case PPTP_WAN_ERROR_NOTIFY: |
| pcid = &pptpReq->wanerr.peersCallID; |
| break; |
