[thirdparty/kernel/stable-queue.git] / releases / 2.6.22.1 / netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch

From 8c640bd0c68201dd0d71b78a07bb224973580ad3 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Tue, 5 Jun 2007 14:14:22 +0200
Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 net/netfilter/nf_conntrack_proto_sctp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -460,7 +460,8 @@ static int sctp_new(struct nf_conn *conn
 					 SCTP_CONNTRACK_NONE, sch->type);
 
 		/* Invalid: delete conntrack */
-		if (newconntrack == SCTP_CONNTRACK_MAX) {
+		if (newconntrack == SCTP_CONNTRACK_NONE ||
+		    newconntrack == SCTP_CONNTRACK_MAX) {
 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
 			return 0;
 		}
Commit	Line	Data
a2fd49a0 GKH	1	From 8c640bd0c68201dd0d71b78a07bb224973580ad3 Mon Sep 17 00:00:00 2001
	2	From: Patrick McHardy <kaber@trash.net>
	3	Date: Tue, 5 Jun 2007 14:14:22 +0200
	4	Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
	5
	6	When creating a new connection by sending an unknown chunk type, we
	7	don't transition to a valid state, causing a NULL pointer dereference in
	8	sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
	9
	10	Fix by don't creating new conntrack entry if initial state is invalid.
	11
	12	Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
	13
	14	CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
	15	Cc: David Miller <davem@davemloft.net>
	16	Signed-off-by: Patrick McHardy <kaber@trash.net>
	17	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	18	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	19
	20	---
	21	net/netfilter/nf_conntrack_proto_sctp.c \| 3 ++-
	22	1 file changed, 2 insertions(+), 1 deletion(-)
	23
	24	--- a/net/netfilter/nf_conntrack_proto_sctp.c
	25	+++ b/net/netfilter/nf_conntrack_proto_sctp.c
	26	@@ -460,7 +460,8 @@ static int sctp_new(struct nf_conn *conn
	27	SCTP_CONNTRACK_NONE, sch->type);
	28
	29	/* Invalid: delete conntrack */
	30	- if (newconntrack == SCTP_CONNTRACK_MAX) {
	31	+ if (newconntrack == SCTP_CONNTRACK_NONE \|\|
	32	+ newconntrack == SCTP_CONNTRACK_MAX) {
	33	DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
	34	return 0;
	35	}