* [NETFILTER]: SCTP conntrack: fix infinite loop
@ 2006-05-02 21:23 Patrick McHardy
0 siblings, 0 replies; only message in thread
From: Patrick McHardy @ 2006-05-02 21:23 UTC (permalink / raw)
To: stable; +Cc: security, Netfilter Development Mailinglist, David S. Miller
[-- Attachment #1: Type: text/plain, Size: 167 bytes --]
Ingo Molnar discovered that a SCTP packet with a chunk header length
of zero leads to an infinite loop in the SCTP connection tracking
helper. Please add to -stable.
[-- Attachment #2: sctp-stable.diff --]
[-- Type: text/plain, Size: 2521 bytes --]
[NETFILTER]: SCTP conntrack: fix infinite loop
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Based on patch from Ingo Molnar <mingo@elte.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 97ca02fbb25efc9d5410439d9835e4aa7f61a12f
tree d0abdcb0dbc76c4b99662fd093afb75288ea6974
parent 42a46c74c4520174b82a60ac44c15b5525cdf238
author Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 19:45:49 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 19:45:49 +0200
net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 11 +++++++----
net/netfilter/nf_conntrack_proto_sctp.c | 11 +++++++----
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index be602e8..ea5cc51 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_con
flag = 1;
}
- /* Cookie Ack/Echo chunks not the first OR
- Init / Init Ack / Shutdown compl chunks not the only chunks */
- if ((sch->type == SCTP_CID_COOKIE_ACK
+ /*
+ * Cookie Ack/Echo chunks not the first OR
+ * Init / Init Ack / Shutdown compl chunks not the only chunks
+ * OR zero-length.
+ */
+ if (((sch->type == SCTP_CID_COOKIE_ACK
|| sch->type == SCTP_CID_COOKIE_ECHO
|| flag)
- && count !=0 ) {
+ && count !=0) || !sch->length) {
DEBUGP("Basic checks failed\n");
return 1;
}
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index cf798e6..6c3881b 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_con
flag = 1;
}
- /* Cookie Ack/Echo chunks not the first OR
- Init / Init Ack / Shutdown compl chunks not the only chunks */
- if ((sch->type == SCTP_CID_COOKIE_ACK
+ /*
+ * Cookie Ack/Echo chunks not the first OR
+ * Init / Init Ack / Shutdown compl chunks not the only chunks
+ * OR zero-length.
+ */
+ if (((sch->type == SCTP_CID_COOKIE_ACK
|| sch->type == SCTP_CID_COOKIE_ECHO
|| flag)
- && count !=0 ) {
+ && count !=0) || !sch->length) {
DEBUGP("Basic checks failed\n");
return 1;
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2006-05-02 21:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-02 21:23 [NETFILTER]: SCTP conntrack: fix infinite loop Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.