2.6.22 queue started

author Greg Kroah-Hartman <gregkh@suse.de>

Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)

committer Greg Kroah-Hartman <gregkh@suse.de>

Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)
author Greg Kroah-Hartman <gregkh@suse.de>
Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)
committer Greg Kroah-Hartman <gregkh@suse.de>
Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)
diff --git a/queue-2.6.22/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch b/queue-2.6.22/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch

new file mode 100644 (file)

index 0000000..e64baa3
--- /dev/null
+++ b/queue-2.6.22/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
@@ -0,0 +1,35 @@
+From 8c640bd0c68201dd0d71b78a07bb224973580ad3 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 5 Jun 2007 14:14:22 +0200
+Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+ net/netfilter/nf_conntrack_proto_sctp.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -460,7 +460,8 @@ static int sctp_new(struct nf_conn *conn
+                                        SCTP_CONNTRACK_NONE, sch->type);
+ 
+               /* Invalid: delete conntrack */
+-              if (newconntrack == SCTP_CONNTRACK_MAX) {
++              if (newconntrack == SCTP_CONNTRACK_NONE ||
++                  newconntrack == SCTP_CONNTRACK_MAX) {
+                       DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+                       return 0;
+               }
diff --git a/queue-2.6.22/series b/queue-2.6.22/series

new file mode 100644 (file)

index 0000000..dbcc88f
--- /dev/null
+++ b/queue-2.6.22/series
@@ -0,0 +1 @@
+netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
author	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 10 Jul 2007 18:13:50 +0000 (11:13 -0700)
queue-2.6.22/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch	[new file with mode: 0644]	patch \| blob
queue-2.6.22/series	[new file with mode: 0644]	patch \| blob