2.6.20 patch added

diff --git a/queue-2.6.20/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch b/queue-2.6.20/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
new file mode 100644 (file)
index 0000000..162abbc
--- /dev/null
+++ b/queue-2.6.20/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
@@ -0,0 +1,52 @@
+From stable-bounces@linux.kernel.org Tue Jun  5 05:17:17 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 05 Jun 2007 14:14:22 +0200
+Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Adrian Bunk <bunk@stusta.de>, Kiran Kumar Immidi <immidi_kiran@yahoo.com>, stable@kernel.org, Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+Message-ID: <4665539E.9040005@trash.net>
+
+From: Patrick McHardy <kaber@trash.net>
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c |    3 ++-
+ net/netfilter/nf_conntrack_proto_sctp.c      |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack 
+                                               SCTP_CONNTRACK_NONE, sch->type);
+ 
+               /* Invalid: delete conntrack */
+-              if (newconntrack == SCTP_CONNTRACK_MAX) {
++              if (newconntrack == SCTP_CONNTRACK_NONE ||
++                  newconntrack == SCTP_CONNTRACK_MAX) {
+                       DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+                       return 0;
+               }
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -470,7 +470,8 @@ static int sctp_new(struct nf_conn *conn
+                                        SCTP_CONNTRACK_NONE, sch->type);
+ 
+               /* Invalid: delete conntrack */
+-              if (newconntrack == SCTP_CONNTRACK_MAX) {
++              if (newconntrack == SCTP_CONNTRACK_NONE ||
++                  newconntrack == SCTP_CONNTRACK_MAX) {
+                       DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+                       return 0;
+               }

diff --git a/queue-2.6.20/series b/queue-2.6.20/series
index 3694d3eecf158eb65e45bd83edbd86c97504df88..2b6be9fc19cb00d5e890fa2a40ef6c1c64049206 100644 (file)
--- a/queue-2.6.20/series
+++ b/queue-2.6.20/series
@@ -16,3 +16,4 @@ alsa-usb-audio-explicitly-match-logitech-quickcam.patch
 v4l-dvb-budget-ci-fix-tuning-for-tdm-1316.patch
 kbuild-fixdep-segfault-on-pathological-string-o-death.patch
 ntfs_init_locked_inode-fix-array-indexing.patch
+netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch