From: Chris Wright <chrisw@sous-sol.org>
Date: Fri, 30 Jun 2006 18:24:13 +0000 (-0700)
Subject: SCTP fix for 2.6.16
X-Git-Tag: v2.6.16.23~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92dac7630a6f9d98125700e3872ec2806a5b7107;p=thirdparty%2Fkernel%2Fstable-queue.git

SCTP fix for 2.6.16
---

diff --git a/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch b/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch
new file mode 100644
index 00000000000..accf9fe7f35
--- /dev/null
+++ b/releases/2.6.16.23/netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch
@@ -0,0 +1,45 @@
+From security-bounces@linux.kernel.org  Thu Jun 29 20:35:14 2006
+Date: Fri, 30 Jun 2006 05:33:12 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: stable@kernel.org
+Subject: NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks [CVE-2006-2934]
+
+When a packet without any chunks is received, the newconntrack variable
+in sctp_packet contains an out of bounds value that is used to look up an
+pointer from the array of timeouts, which is then dereferenced, resulting
+in a crash. Make sure at least a single chunk is present.
+
+Problem noticed by George A. Theall <theall@tenablesecurity.com>
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+---
+
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c |    2 +-
+ net/netfilter/nf_conntrack_proto_sctp.c      |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.16.22.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ linux-2.6.16.22/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -254,7 +254,7 @@ static int do_basic_checks(struct ip_con
+ 	}
+ 
+ 	DEBUGP("Basic checks passed\n");
+-	return 0;
++	return count == 0;
+ }
+ 
+ static int new_state(enum ip_conntrack_dir dir,
+--- linux-2.6.16.22.orig/net/netfilter/nf_conntrack_proto_sctp.c
++++ linux-2.6.16.22/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -259,7 +259,7 @@ static int do_basic_checks(struct nf_con
+ 	}
+ 
+ 	DEBUGP("Basic checks passed\n");
+-	return 0;
++	return count == 0;
+ }
+ 
+ static int new_state(enum ip_conntrack_dir dir,
diff --git a/releases/2.6.16.23/series b/releases/2.6.16.23/series
new file mode 100644
index 00000000000..2cb07ff717a
--- /dev/null
+++ b/releases/2.6.16.23/series
@@ -0,0 +1 @@
+netfilter-sctp-conntrack-fix-crash-triggered-by-packet-without-chunks.patch