]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
authorPatrick McHardy <kaber@trash.net>
Mon, 19 Jun 2006 17:14:21 +0000 (19:14 +0200)
committerChris Wright <chrisw@sous-sol.org>
Tue, 20 Jun 2006 09:31:42 +0000 (02:31 -0700)
Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
net/netfilter/xt_sctp.c

index 34bd87259a09fea8b84671104c6a314cad5aafbd..c29692c7ca19658a4c8895cf16ef6d964c4122b2 100644 (file)
@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,
 
        do {
                sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
-               if (sch == NULL) {
+               if (sch == NULL || sch->length == 0) {
                        duprintf("Dropping invalid SCTP packet.\n");
                        *hotdrop = 1;
                        return 0;