[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)

When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmentic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
author: Patrick McHardy <kaber@trash.net> 2006-01-10 02:00:07 +0100
committer: Chris Wright <chrisw@sous-sol.org> 2006-01-14 22:15:29 -0800
commit: a81954faaf6fdbf1fd8a1ef03f2d75e01f56a974 (patch)
tree: 83256f69b60a0b5c7e76c33ddf32817594aa272f
parent: e7594b2f2389fab1558fed58507ad3ce7d4eae56 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c
index e546203f566..8ad7b36e242 100644
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -315,7 +315,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
 		break;
 	case PPTP_IN_CALL_REQUEST:
 		/* only need to nat in case PAC is behind NAT box */
-		break;
+		return NF_ACCEPT;
 	case PPTP_WAN_ERROR_NOTIFY:
 		pcid = &pptpReq->wanerr.peersCallID;
 		break;
author	Patrick McHardy <kaber@trash.net>	2006-01-10 02:00:07 +0100
committer	Chris Wright <chrisw@sous-sol.org>	2006-01-14 22:15:29 -0800
commit	a81954faaf6fdbf1fd8a1ef03f2d75e01f56a974 (patch)
tree	83256f69b60a0b5c7e76c33ddf32817594aa272f
parent	e7594b2f2389fab1558fed58507ad3ce7d4eae56 (diff)