SCTP fix for 2.6.16

author Chris Wright <chrisw@sous-sol.org>

Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)

committer Chris Wright <chrisw@sous-sol.org>

Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)
author Chris Wright <chrisw@sous-sol.org>
Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)
committer Chris Wright <chrisw@sous-sol.org>
Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)
diff --git a/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch b/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch

new file mode 100644 (file)

index 0000000..accf9fe
--- /dev/null
+++ b/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch
@@ -0,0 +1,45 @@
+From security-bounces@linux.kernel.org  Thu Jun 29 20:35:14 2006
+Date: Fri, 30 Jun 2006 05:33:12 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: stable@kernel.org
+Subject: NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934]
+
+When a packet without any chunks is received, the newconntrack variable
+in sctp_packet contains an out of bounds value that is used to look up an
+pointer from the array of timeouts, which is then dereferenced, resulting
+in a crash. Make sure at least a single chunk is present.
+
+Problem noticed by George A. Theall <theall@tenablesecurity.com>
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c |    2 +-
+ net/netfilter/nf_conntrack_proto_sctp.c      |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.22.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ linux-2.6.16.22/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -254,7 +254,7 @@ static int do_basic_checks(struct ip_con
+       }
+ 
+       DEBUGP("Basic checks passed\n");
+-      return 0;
++      return count == 0;
+ }
+ 
+ static int new_state(enum ip_conntrack_dir dir,
+--- linux-2.6.16.22.orig/net/netfilter/nf_conntrack_proto_sctp.c
++++ linux-2.6.16.22/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -259,7 +259,7 @@ static int do_basic_checks(struct nf_con
+       }
+ 
+       DEBUGP("Basic checks passed\n");
+-      return 0;
++      return count == 0;
+ }
+ 
+ static int new_state(enum ip_conntrack_dir dir,
diff --git a/releases/2.6.16.23/series b/releases/2.6.16.23/series

new file mode 100644 (file)

index 0000000..2cb07ff
--- /dev/null
+++ b/releases/2.6.16.23/series
@@ -0,0 +1 @@
+netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch
author	Chris Wright <chrisw@sous-sol.org>
	Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)
committer	Chris Wright <chrisw@sous-sol.org>
	Fri, 30 Jun 2006 18:24:13 +0000 (11:24 -0700)
releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch	[new file with mode: 0644]	patch \| blob
releases/2.6.16.23/series	[new file with mode: 0644]	patch \| blob