Re: [netfilter-core] Re: [lockup] 2.6.17-rc3: netfilter/sctp: lockup in sctp_new(), do_basic_checks()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Ingo Molnar <mingo@elte.hu>
Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>,
	coreteam@netfilter.org, "David S. Miller" <davem@davemloft.net>,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [netfilter-core] Re: [lockup] 2.6.17-rc3: netfilter/sctp: lockup in	sctp_new(), do_basic_checks()
Date: Tue, 02 May 2006 15:57:30 +0200	[thread overview]
Message-ID: <4457654A.9040200@trash.net> (raw)
In-Reply-To: <20060502140102.GA31743@elte.hu>

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

Ingo Molnar wrote:
>>
>>I just came up with a similar fix :) I think I'm going to take my own 
>>patch though because its IMO slightly nicer. Thanks anyway.
> 
> 
> could you send your patch so that i can start using it instead of mine?

I did a couple of minutes ago. Here it is again in case my last mail
won't show up.

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2421 bytes --]

[NETFILTER]: Fix endless loop in SCTP conntrack

When a chunk length is zero, for_each_sctp_chunk() doesn't make any forward
progress and loops forever. A chunk length of 0 is invalid, so just abort
in that case.

Reported by Ingo Molnar <mingo@elte.hu>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 32491b3d62bc8c3ff2400deebd46972ebc7332af
tree 7249133ec32c18f4e6f989560e8d86b5e2e2cf0c
parent 462f3ddd384045c731b3268a1b9c91c834a5a68a
author Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 15:44:30 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 02 May 2006 15:44:30 +0200

 net/ipv4/netfilter/ip_conntrack_proto_sctp.c |    4 ++--
 net/netfilter/nf_conntrack_proto_sctp.c      |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 5259abd..ebd4ecf 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -209,8 +209,8 @@ static int sctp_print_conntrack(struct s
 #define for_each_sctp_chunk(skb, sch, _sch, offset, count)		\
 for (offset = skb->nh.iph->ihl * 4 + sizeof(sctp_sctphdr_t), count = 0;	\
 	offset < skb->len &&						\
-	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch));	\
-	offset += (htons(sch->length) + 3) & ~3, count++)
+	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch)) &&  \
+	sch->length; offset += (htons(sch->length) + 3) & ~3, count++)
 
 /* Some validity checks to make sure the chunks are fine */
 static int do_basic_checks(struct ip_conntrack *conntrack,
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 9cccc32..2e34436 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -213,8 +213,8 @@ static int sctp_print_conntrack(struct s
 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)	\
 for (offset = dataoff + sizeof(sctp_sctphdr_t), count = 0;		\
 	offset < skb->len &&						\
-	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch));	\
-	offset += (htons(sch->length) + 3) & ~3, count++)
+	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch)) &&	\
+	sch->length; offset += (htons(sch->length) + 3) & ~3, count++)
 
 /* Some validity checks to make sure the chunks are fine */
 static int do_basic_checks(struct nf_conn *conntrack,

next prev parent reply	other threads:[~2006-05-02 13:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-02 11:34 [lockup] 2.6.17-rc3: netfilter/sctp: lockup in sctp_new(), do_basic_checks() Ingo Molnar
2006-05-02 13:40 ` Ingo Molnar
2006-05-02 13:45   ` Ingo Molnar
2006-05-02 13:54   ` [netfilter-core] " Patrick McHardy
2006-05-02 14:01     ` Ingo Molnar
2006-05-02 13:57       ` Patrick McHardy [this message]
2006-05-02 14:16         ` Ingo Molnar
2006-05-02 14:24           ` Ingo Molnar
2006-05-02 14:29           ` Patrick McHardy
2006-05-02 14:38             ` Ingo Molnar
2006-05-02 14:35               ` Patrick McHardy
2006-05-02 14:42               ` Ingo Molnar
2006-05-02 14:40                 ` Patrick McHardy
2006-05-02 13:45 ` [netfilter-core] " Patrick McHardy
2006-05-02 15:34 ` Marcel Holtmann
2006-05-02 15:55   ` [netfilter-core] " Patrick McHardy

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5259abd dfblob:ebd4ecf dfblob:9cccc32 dfblob:2e34436 )
 OR (
bs:"Re: [netfilter-core] Re: [lockup] 2.6.17-rc3: netfilter/sctp: lockup in	sctp_new(), do_basic_checks()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4457654A.9040200@trash.net \
    --to=kaber@trash.net \
    --cc=akpm@osdl.org \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox