]>
Commit | Line | Data |
---|---|---|
a2fd49a0 GKH |
1 | From 8c640bd0c68201dd0d71b78a07bb224973580ad3 Mon Sep 17 00:00:00 2001 |
2 | From: Patrick McHardy <kaber@trash.net> | |
3 | Date: Tue, 5 Jun 2007 14:14:22 +0200 | |
4 | Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876) | |
5 | ||
6 | When creating a new connection by sending an unknown chunk type, we | |
7 | don't transition to a valid state, causing a NULL pointer dereference in | |
8 | sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. | |
9 | ||
10 | Fix by don't creating new conntrack entry if initial state is invalid. | |
11 | ||
12 | Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> | |
13 | ||
14 | CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com> | |
15 | Cc: David Miller <davem@davemloft.net> | |
16 | Signed-off-by: Patrick McHardy <kaber@trash.net> | |
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
18 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | |
19 | ||
20 | --- | |
21 | net/netfilter/nf_conntrack_proto_sctp.c | 3 ++- | |
22 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
23 | ||
24 | --- a/net/netfilter/nf_conntrack_proto_sctp.c | |
25 | +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |
26 | @@ -460,7 +460,8 @@ static int sctp_new(struct nf_conn *conn | |
27 | SCTP_CONNTRACK_NONE, sch->type); | |
28 | ||
29 | /* Invalid: delete conntrack */ | |
30 | - if (newconntrack == SCTP_CONNTRACK_MAX) { | |
31 | + if (newconntrack == SCTP_CONNTRACK_NONE || | |
32 | + newconntrack == SCTP_CONNTRACK_MAX) { | |
33 | DEBUGP("nf_conntrack_sctp: invalid new deleting.\n"); | |
34 | return 0; | |
35 | } |