| /[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r10/0125-2.6.16.13-sctp-conntrack-infiite-loop-fix.patch |
Annotation of /trunk/kernel26-magellan/patches-2.6.16-r10/0125-2.6.16.13-sctp-conntrack-infiite-loop-fix.patch
Parent Directory
| 
Revision Log
Revision 70 -
(hide annotations)
(download)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 2211 byte(s)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 2211 byte(s)
import
| 1 | niro | 70 | From: Patrick McHardy <kaber@trash.net> |
| 2 | Date: Tue, 2 May 2006 21:23:07 +0000 (+0200) | ||
| 3 | Subject: [PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527) | ||
| 4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=25b6badde42165b717e3c232e4992b3f6761920a | ||
| 5 | |||
| 6 | [PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527) | ||
| 7 | |||
| 8 | [NETFILTER]: SCTP conntrack: fix infinite loop | ||
| 9 | |||
| 10 | fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to | ||
| 11 | guarantee progress of for_each_sctp_chunk(). (all other uses of | ||
| 12 | for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix | ||
| 13 | should be complete.) | ||
| 14 | |||
| 15 | Based on patch from Ingo Molnar <mingo@elte.hu> | ||
| 16 | |||
| 17 | Signed-off-by: Patrick McHardy <kaber@trash.net> | ||
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | ||
| 19 | --- | ||
| 20 | |||
| 21 | --- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c | ||
| 22 | +++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c | ||
| 23 | @@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con | ||
| 24 | flag = 1; | ||
| 25 | } | ||
| 26 | |||
| 27 | - /* Cookie Ack/Echo chunks not the first OR | ||
| 28 | - Init / Init Ack / Shutdown compl chunks not the only chunks */ | ||
| 29 | - if ((sch->type == SCTP_CID_COOKIE_ACK | ||
| 30 | + /* | ||
| 31 | + * Cookie Ack/Echo chunks not the first OR | ||
| 32 | + * Init / Init Ack / Shutdown compl chunks not the only chunks | ||
| 33 | + * OR zero-length. | ||
| 34 | + */ | ||
| 35 | + if (((sch->type == SCTP_CID_COOKIE_ACK | ||
| 36 | || sch->type == SCTP_CID_COOKIE_ECHO | ||
| 37 | || flag) | ||
| 38 | - && count !=0 ) { | ||
| 39 | + && count !=0) || !sch->length) { | ||
| 40 | DEBUGP("Basic checks failed\n"); | ||
| 41 | return 1; | ||
| 42 | } | ||
| 43 | --- a/net/netfilter/nf_conntrack_proto_sctp.c | ||
| 44 | +++ b/net/netfilter/nf_conntrack_proto_sctp.c | ||
| 45 | @@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con | ||
| 46 | flag = 1; | ||
| 47 | } | ||
| 48 | |||
| 49 | - /* Cookie Ack/Echo chunks not the first OR | ||
| 50 | - Init / Init Ack / Shutdown compl chunks not the only chunks */ | ||
| 51 | - if ((sch->type == SCTP_CID_COOKIE_ACK | ||
| 52 | + /* | ||
| 53 | + * Cookie Ack/Echo chunks not the first OR | ||
| 54 | + * Init / Init Ack / Shutdown compl chunks not the only chunks | ||
| 55 | + * OR zero-length. | ||
| 56 | + */ | ||
| 57 | + if (((sch->type == SCTP_CID_COOKIE_ACK | ||
| 58 | || sch->type == SCTP_CID_COOKIE_ECHO | ||
| 59 | || flag) | ||
| 60 | - && count !=0 ) { | ||
| 61 | + && count !=0) || !sch->length) { | ||
| 62 | DEBUGP("Basic checks failed\n"); | ||
| 63 | return 1; | ||
| 64 | } |