[NETFILTER] SCTP conntrack: fix infinite loop

fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)

Based on patch from Ingo Molnar <mingo@elte.hu>

CVE-2006-1527

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 5259abd0fb42..0416073c5600 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_conntrack *conntrack,
                         flag = 1;
                 }
 
-                /* Cookie Ack/Echo chunks not the first OR 
-                   Init / Init Ack / Shutdown compl chunks not the only chunks */
-                if ((sch->type == SCTP_CID_COOKIE_ACK 
+                /*
+                 * Cookie Ack/Echo chunks not the first OR
+                 * Init / Init Ack / Shutdown compl chunks not the only chunks
+                 * OR zero-length.
+                 */
+                if (((sch->type == SCTP_CID_COOKIE_ACK
                         || sch->type == SCTP_CID_COOKIE_ECHO
                         || flag)
-                     && count !=0 ) {
+                      && count !=0) || !sch->length) {
                         DEBUGP("Basic checks failed\n");
                         return 1;
                 }