From: Chris Wright <chrisw@sous-sol.org>
Date: Tue, 20 Jun 2006 09:46:54 +0000 (-0700)
Subject: release Linux 2.6.17.1 with SCTP security fix
X-Git-Tag: v2.6.17.1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcdf5d0e4fac2b10b37569881289377bf12bf3ba;p=thirdparty%2Fkernel%2Fstable-queue.git

release Linux 2.6.17.1 with SCTP security fix
---

diff --git a/releases/2.6.17.1/series b/releases/2.6.17.1/series
new file mode 100644
index 00000000000..7e9731699ef
--- /dev/null
+++ b/releases/2.6.17.1/series
@@ -0,0 +1 @@
+xt_sctp-fix-endless-loop-caused-by-0-chunk-length.patch
diff --git a/releases/2.6.17.1/xt_sctp-fix-endless-loop-caused-by-0-chunk-length.patch b/releases/2.6.17.1/xt_sctp-fix-endless-loop-caused-by-0-chunk-length.patch
new file mode 100644
index 00000000000..b1460ac1398
--- /dev/null
+++ b/releases/2.6.17.1/xt_sctp-fix-endless-loop-caused-by-0-chunk-length.patch
@@ -0,0 +1,28 @@
+From stable-bounces@linux.kernel.org  Mon Jun 19 10:18:30 2006
+Date: Mon, 19 Jun 2006 19:14:21 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, stable@kernel.org
+Subject: [NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
+
+Fix endless loop in the SCTP match similar to those already fixed in the
+SCTP conntrack helper (was CVE-2006-1527).
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/netfilter/xt_sctp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.17.orig/net/netfilter/xt_sctp.c
++++ linux-2.6.17/net/netfilter/xt_sctp.c
+@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,
+ 
+ 	do {
+ 		sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
+-		if (sch == NULL) {
++		if (sch == NULL || sch->length == 0) {
+ 			duprintf("Dropping invalid SCTP packet.\n");
+ 			*hotdrop = 1;
+ 			return 0;