diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-01-09 19:43:43 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-10 15:54:30 -0500 |
| commit | 15db34702cfafd24acc60295cf14861e497502ab (patch) | |
| tree | 541d18bb0b8e1d915ca258d16ea79df730b8f0b7 | |
| parent | bb94aa169eaa6e713a429370d37388722f08666f (diff) | |
[NETFILTER]: Fix crash in ip_nat_pptp
When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c index e546203f5662..8ad7b36e242d 100644 --- a/net/ipv4/netfilter/ip_nat_helper_pptp.c +++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c | |||
| @@ -315,7 +315,7 @@ pptp_inbound_pkt(struct sk_buff **pskb, | |||
| 315 | break; | 315 | break; |
| 316 | case PPTP_IN_CALL_REQUEST: | 316 | case PPTP_IN_CALL_REQUEST: |
| 317 | /* only need to nat in case PAC is behind NAT box */ | 317 | /* only need to nat in case PAC is behind NAT box */ |
| 318 | break; | 318 | return NF_ACCEPT; |
| 319 | case PPTP_WAN_ERROR_NOTIFY: | 319 | case PPTP_WAN_ERROR_NOTIFY: |
| 320 | pcid = &pptpReq->wanerr.peersCallID; | 320 | pcid = &pptpReq->wanerr.peersCallID; |
| 321 | break; | 321 | break; |