diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-06-20 02:39:45 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2006-06-20 02:39:45 -0400 |
| commit | d3dcd4efe2ad1ad1865b2fe5c863c1ebd9482a84 (patch) | |
| tree | 058379919390c78a18075fabf43e8fdd3d645418 /net/netfilter | |
| parent | 25f42b6af09e34c3f92107b36b5aa6edc2fdba2f (diff) | |
[NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length
Fix endless loop in the SCTP match similar to those already fixed in
the SCTP conntrack helper (was CVE-2006-1527).
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/xt_sctp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index b5110e5b54b0..9316c753692f 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c | |||
| @@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb, | |||
| 62 | 62 | ||
| 63 | do { | 63 | do { |
| 64 | sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); | 64 | sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); |
| 65 | if (sch == NULL) { | 65 | if (sch == NULL || sch->length == 0) { |
| 66 | duprintf("Dropping invalid SCTP packet.\n"); | 66 | duprintf("Dropping invalid SCTP packet.\n"); |
| 67 | *hotdrop = 1; | 67 | *hotdrop = 1; |
| 68 | return 0; | 68 | return 0; |