diff options
author | Patrick McHardy <kaber@trash.net> | 2006-05-02 17:23:07 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-02 20:26:39 -0400 |
commit | e17df688f7064dae1417ce425dd1e4b71d24d63b (patch) | |
tree | bc631aa05f4fde009ff260fca51005eb9077a203 | |
parent | ebf34c9b6fcd22338ef764b039b3ac55ed0e297b (diff) |
[NETFILTER] SCTP conntrack: fix infinite loop
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Based on patch from Ingo Molnar <mingo@elte.hu>
CVE-2006-1527
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 11 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 11 |
2 files changed, 14 insertions, 8 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c index 5259abd0fb42..0416073c5600 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c | |||
@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_conntrack *conntrack, | |||
235 | flag = 1; | 235 | flag = 1; |
236 | } | 236 | } |
237 | 237 | ||
238 | /* Cookie Ack/Echo chunks not the first OR | 238 | /* |
239 | Init / Init Ack / Shutdown compl chunks not the only chunks */ | 239 | * Cookie Ack/Echo chunks not the first OR |
240 | if ((sch->type == SCTP_CID_COOKIE_ACK | 240 | * Init / Init Ack / Shutdown compl chunks not the only chunks |
241 | * OR zero-length. | ||
242 | */ | ||
243 | if (((sch->type == SCTP_CID_COOKIE_ACK | ||
241 | || sch->type == SCTP_CID_COOKIE_ECHO | 244 | || sch->type == SCTP_CID_COOKIE_ECHO |
242 | || flag) | 245 | || flag) |
243 | && count !=0 ) { | 246 | && count !=0) || !sch->length) { |
244 | DEBUGP("Basic checks failed\n"); | 247 | DEBUGP("Basic checks failed\n"); |
245 | return 1; | 248 | return 1; |
246 | } | 249 | } |
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 9cccc325b687..0c6da496cfa9 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |||
@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_conn *conntrack, | |||
240 | flag = 1; | 240 | flag = 1; |
241 | } | 241 | } |
242 | 242 | ||
243 | /* Cookie Ack/Echo chunks not the first OR | 243 | /* |
244 | Init / Init Ack / Shutdown compl chunks not the only chunks */ | 244 | * Cookie Ack/Echo chunks not the first OR |
245 | if ((sch->type == SCTP_CID_COOKIE_ACK | 245 | * Init / Init Ack / Shutdown compl chunks not the only chunks |
246 | * OR zero-length. | ||
247 | */ | ||
248 | if (((sch->type == SCTP_CID_COOKIE_ACK | ||
246 | || sch->type == SCTP_CID_COOKIE_ECHO | 249 | || sch->type == SCTP_CID_COOKIE_ECHO |
247 | || flag) | 250 | || flag) |
248 | && count !=0 ) { | 251 | && count !=0) || !sch->length) { |
249 | DEBUGP("Basic checks failed\n"); | 252 | DEBUGP("Basic checks failed\n"); |
250 | return 1; | 253 | return 1; |
251 | } | 254 | } |