From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 2 May 2006 22:16:46 +0000 (-0700)
Subject: 2.6.16.13 release
X-Git-Tag: v2.6.16.13^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2167213c8e88d815faf6c51a6d10c8a6a33dedb;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.16.13 release
---

diff --git a/releases/2.6.16.13/netfilter-sctp-conntrack-fix-infinite-loop.patch b/releases/2.6.16.13/netfilter-sctp-conntrack-fix-infinite-loop.patch
new file mode 100644
index 00000000000..42c0857526e
--- /dev/null
+++ b/releases/2.6.16.13/netfilter-sctp-conntrack-fix-infinite-loop.patch
@@ -0,0 +1,69 @@
+From stable-bounces@linux.kernel.org Tue May  2 14:24:14 2006
+Message-ID: <4457CDBB.9010605@trash.net>
+Date: Tue, 02 May 2006 23:23:07 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: stable@kernel.org
+Cc: security@kernel.org, Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, "David S. Miller" <davem@davemloft.net>
+Subject: NETFILTER: SCTP conntrack: fix infinite loop (CVE-2006-1527)
+
+[NETFILTER]: SCTP conntrack: fix infinite loop
+
+fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
+guarantee progress of for_each_sctp_chunk(). (all other uses of
+for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
+should be complete.)
+
+Based on patch from Ingo Molnar <mingo@elte.hu>
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c |   11 +++++++----
+ net/netfilter/nf_conntrack_proto_sctp.c      |   11 +++++++----
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+--- linux-2.6.16.12.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ linux-2.6.16.12/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con
+ 			flag = 1;
+ 		}
+ 
+-		/* Cookie Ack/Echo chunks not the first OR 
+-		   Init / Init Ack / Shutdown compl chunks not the only chunks */
+-		if ((sch->type == SCTP_CID_COOKIE_ACK 
++		/*
++		 * Cookie Ack/Echo chunks not the first OR
++		 * Init / Init Ack / Shutdown compl chunks not the only chunks
++		 * OR zero-length.
++		 */
++		if (((sch->type == SCTP_CID_COOKIE_ACK
+ 			|| sch->type == SCTP_CID_COOKIE_ECHO
+ 			|| flag)
+-		     && count !=0 ) {
++		      && count !=0) || !sch->length) {
+ 			DEBUGP("Basic checks failed\n");
+ 			return 1;
+ 		}
+--- linux-2.6.16.12.orig/net/netfilter/nf_conntrack_proto_sctp.c
++++ linux-2.6.16.12/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con
+ 			flag = 1;
+ 		}
+ 
+-		/* Cookie Ack/Echo chunks not the first OR 
+-		   Init / Init Ack / Shutdown compl chunks not the only chunks */
+-		if ((sch->type == SCTP_CID_COOKIE_ACK 
++		/*
++		 * Cookie Ack/Echo chunks not the first OR
++		 * Init / Init Ack / Shutdown compl chunks not the only chunks
++		 * OR zero-length.
++		 */
++		if (((sch->type == SCTP_CID_COOKIE_ACK
+ 			|| sch->type == SCTP_CID_COOKIE_ECHO
+ 			|| flag)
+-		     && count !=0 ) {
++		      && count !=0) || !sch->length) {
+ 			DEBUGP("Basic checks failed\n");
+ 			return 1;
+ 		}