summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-06-19 19:14:21 +0200
committerChris Wright <chrisw@sous-sol.org>2006-06-20 01:54:53 -0700
commitab46ee26dc90c5608c0d51c33a029fe514c0a49d (patch)
treec7f67db86a1fc5a05f15556ab472e0ef9d25a31d
parent0ba239cc0ef0ebf9d38cd733754fcf657ae79b2b (diff)
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
-rw-r--r--net/netfilter/xt_sctp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 10fbfc5ba758..239018244407 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,
do {
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
- if (sch == NULL) {
+ if (sch == NULL || sch->length == 0) {
duprintf("Dropping invalid SCTP packet.\n");
*hotdrop = 1;
return 0;