From: Patrick McHardy <kaber@trash.net>
Date: Mon, 19 Jun 2006 17:14:21 +0000 (+0200)
Subject: [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
X-Git-Tag: v2.6.16.21~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab46ee26dc90c5608c0d51c33a029fe514c0a49d;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)

Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 10fbfc5ba7587..239018244407b 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,
 
 	do {
 		sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
-		if (sch == NULL) {
+		if (sch == NULL || sch->length == 0) {
 			duprintf("Dropping invalid SCTP packet.\n");
 			*hotdrop = 1;
 			return 0;