| /[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r10/0125-2.6.16.13-sctp-conntrack-infiite-loop-fix.patch |
Contents of /trunk/kernel26-magellan/patches-2.6.16-r10/0125-2.6.16.13-sctp-conntrack-infiite-loop-fix.patch
Parent Directory
| 
Revision Log
Revision 70 -
(show annotations)
(download)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 2211 byte(s)
Thu May 11 19:09:22 2006 UTC (18 years ago) by niro
File size: 2211 byte(s)
import
| 1 | From: Patrick McHardy <kaber@trash.net> |
| 2 | Date: Tue, 2 May 2006 21:23:07 +0000 (+0200) |
| 3 | Subject: [PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527) |
| 4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=25b6badde42165b717e3c232e4992b3f6761920a |
| 5 | |
| 6 | [PATCH] NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527) |
| 7 | |
| 8 | [NETFILTER]: SCTP conntrack: fix infinite loop |
| 9 | |
| 10 | fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to |
| 11 | guarantee progress of for_each_sctp_chunk(). (all other uses of |
| 12 | for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix |
| 13 | should be complete.) |
| 14 | |
| 15 | Based on patch from Ingo Molnar <mingo@elte.hu> |
| 16 | |
| 17 | Signed-off-by: Patrick McHardy <kaber@trash.net> |
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| 19 | --- |
| 20 | |
| 21 | --- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c |
| 22 | +++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c |
| 23 | @@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con |
| 24 | flag = 1; |
| 25 | } |
| 26 | |
| 27 | - /* Cookie Ack/Echo chunks not the first OR |
| 28 | - Init / Init Ack / Shutdown compl chunks not the only chunks */ |
| 29 | - if ((sch->type == SCTP_CID_COOKIE_ACK |
| 30 | + /* |
| 31 | + * Cookie Ack/Echo chunks not the first OR |
| 32 | + * Init / Init Ack / Shutdown compl chunks not the only chunks |
| 33 | + * OR zero-length. |
| 34 | + */ |
| 35 | + if (((sch->type == SCTP_CID_COOKIE_ACK |
| 36 | || sch->type == SCTP_CID_COOKIE_ECHO |
| 37 | || flag) |
| 38 | - && count !=0 ) { |
| 39 | + && count !=0) || !sch->length) { |
| 40 | DEBUGP("Basic checks failed\n"); |
| 41 | return 1; |
| 42 | } |
| 43 | --- a/net/netfilter/nf_conntrack_proto_sctp.c |
| 44 | +++ b/net/netfilter/nf_conntrack_proto_sctp.c |
| 45 | @@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con |
| 46 | flag = 1; |
| 47 | } |
| 48 | |
| 49 | - /* Cookie Ack/Echo chunks not the first OR |
| 50 | - Init / Init Ack / Shutdown compl chunks not the only chunks */ |
| 51 | - if ((sch->type == SCTP_CID_COOKIE_ACK |
| 52 | + /* |
| 53 | + * Cookie Ack/Echo chunks not the first OR |
| 54 | + * Init / Init Ack / Shutdown compl chunks not the only chunks |
| 55 | + * OR zero-length. |
| 56 | + */ |
| 57 | + if (((sch->type == SCTP_CID_COOKIE_ACK |
| 58 | || sch->type == SCTP_CID_COOKIE_ECHO |
| 59 | || flag) |
| 60 | - && count !=0 ) { |
| 61 | + && count !=0) || !sch->length) { |
| 62 | DEBUGP("Basic checks failed\n"); |
| 63 | return 1; |
| 64 | } |