tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
[NETFILTER] SCTP conntrack: fix infinite loop
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Based on patch from Ingo Molnar <mingo@elte.hu>
CVE-2006-1527
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
authored by
Patrick McHardy
and committed by
Linus Torvalds
e17df688
ebf34c9b
+14
-8
+7
-4
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+7
-4
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
···
235
235
flag = 1;
236
236
}
237
237
238
-
/* Cookie Ack/Echo chunks not the first OR
239
-
Init / Init Ack / Shutdown compl chunks not the only chunks */
240
-
if ((sch->type == SCTP_CID_COOKIE_ACK
238
+
/*
239
+
* Cookie Ack/Echo chunks not the first OR
240
+
* Init / Init Ack / Shutdown compl chunks not the only chunks
241
+
* OR zero-length.
242
+
*/
243
+
if (((sch->type == SCTP_CID_COOKIE_ACK
241
244
|| sch->type == SCTP_CID_COOKIE_ECHO
242
245
|| flag)
243
-
&& count !=0 ) {
246
+
&& count !=0) || !sch->length) {
244
247
DEBUGP("Basic checks failed\n");
245
248
return 1;
246
249
}
+7
-4
net/netfilter/nf_conntrack_proto_sctp.c
+7
-4
net/netfilter/nf_conntrack_proto_sctp.c
···
240
240
flag = 1;
241
241
}
242
242
243
-
/* Cookie Ack/Echo chunks not the first OR
244
-
Init / Init Ack / Shutdown compl chunks not the only chunks */
245
-
if ((sch->type == SCTP_CID_COOKIE_ACK
243
+
/*
244
+
* Cookie Ack/Echo chunks not the first OR
245
+
* Init / Init Ack / Shutdown compl chunks not the only chunks
246
+
* OR zero-length.
247
+
*/
248
+
if (((sch->type == SCTP_CID_COOKIE_ACK
246
249
|| sch->type == SCTP_CID_COOKIE_ECHO
247
250
|| flag)
248
-
&& count !=0 ) {
251
+
&& count !=0) || !sch->length) {
249
252
DEBUGP("Basic checks failed\n");
250
253
return 1;
251
254
}