Ingo Molnar wrote:
> * Patrick McHardy <kaber@trash.net> wrote:
> 
> 
>>I did a couple of minutes ago. Here it is again in case my last mail 
>>won't show up.
> 
> 
>>-	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch));	\
>>-	offset += (htons(sch->length) + 3) & ~3, count++)
>>+	(sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch)) &&  \
>>+	sch->length; offset += (htons(sch->length) + 3) & ~3, count++)
> 
> 
> but this makes do_basic_checks() not fail, and the clearly bogus packet 
> is passed further down. The reason i have put it inside the loop is to 
> be able to return 1 for the early checks. How about the fix below? It 
> should be cleaner and it will also return 1 if the initial offset is 
> oversized.

Right, that is better.


> Index: linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
> ===================================================================
> --- linux.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
> +++ linux/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
> @@ -224,6 +224,13 @@ static int do_basic_checks(struct ip_con
>  	DEBUGP(__FUNCTION__);
>  	DEBUGP("\n");
>  
> +	/*
> +	 * Dont trust the initial offset:
> +	 */
> +	offset = skb->nh.iph->ihl * 4 + sizeof(sctp_sctphdr_t);
> +	if (offset >= skb->len)
> +		return 1;
> +

That part is unnecessary, the presence of one sctp_sctphdr_t
has already been verified by skb_header_pointer() in sctp_new().
How about this patch (based on your patch, but typos fixed and
also covers nf_conntrack)?