From: Patrick McHardy <kaber@trash.net>
To: stable@kernel.org
Cc: security@kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [NETFILTER]: SCTP conntrack: fix infinite loop
Date: Tue, 02 May 2006 23:23:07 +0200 [thread overview]
Message-ID: <4457CDBB.9010605@trash.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 167 bytes --]
Ingo Molnar discovered that a SCTP packet with a chunk header length
of zero leads to an infinite loop in the SCTP connection tracking
helper. Please add to -stable.
[-- Attachment #2: sctp-stable.diff --]
[-- Type: text/plain, Size: 2521 bytes --]
[NETFILTER]: SCTP conntrack: fix infinite loop
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Based on patch from Ingo Molnar <mingo@elte.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 97ca02fbb25efc9d5410439d9835e4aa7f61a12f
tree d0abdcb0dbc76c4b99662fd093afb75288ea6974
parent 42a46c74c4520174b82a60ac44c15b5525cdf238
author Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 19:45:49 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 19:45:49 +0200
net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 11 +++++++----
net/netfilter/nf_conntrack_proto_sctp.c | 11 +++++++----
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index be602e8..ea5cc51 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con
flag = 1;
}
- /* Cookie Ack/Echo chunks not the first OR
- Init / Init Ack / Shutdown compl chunks not the only chunks */
- if ((sch->type == SCTP_CID_COOKIE_ACK
+ /*
+ * Cookie Ack/Echo chunks not the first OR
+ * Init / Init Ack / Shutdown compl chunks not the only chunks
+ * OR zero-length.
+ */
+ if (((sch->type == SCTP_CID_COOKIE_ACK
|| sch->type == SCTP_CID_COOKIE_ECHO
|| flag)
- && count !=0 ) {
+ && count !=0) || !sch->length) {
DEBUGP("Basic checks failed\n");
return 1;
}
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index cf798e6..6c3881b 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con
flag = 1;
}
- /* Cookie Ack/Echo chunks not the first OR
- Init / Init Ack / Shutdown compl chunks not the only chunks */
- if ((sch->type == SCTP_CID_COOKIE_ACK
+ /*
+ * Cookie Ack/Echo chunks not the first OR
+ * Init / Init Ack / Shutdown compl chunks not the only chunks
+ * OR zero-length.
+ */
+ if (((sch->type == SCTP_CID_COOKIE_ACK
|| sch->type == SCTP_CID_COOKIE_ECHO
|| flag)
- && count !=0 ) {
+ && count !=0) || !sch->length) {
DEBUGP("Basic checks failed\n");
return 1;
}
reply other threads:[~2006-05-02 21:23 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4457CDBB.9010605@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=security@kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.