diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-06-19 19:14:21 +0200 |
|---|---|---|
| committer | Chris Wright <chrisw@sous-sol.org> | 2006-06-20 02:31:42 -0700 |
| commit | b9d3e52e0e0f95ab5198ac20fbc47b3cb1a63407 (patch) | |
| tree | 7c99e645aa49f49cb173d950c0c4de6e982d6297 | |
| parent | 427abfa28afedffadfca9dd8b067eb6d36bac53f (diff) | |
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
| -rw-r--r-- | net/netfilter/xt_sctp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 34bd87259a09..c29692c7ca19 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c @@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb, do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); - if (sch == NULL) { + if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0; |