diff options
author | Patrick McHardy <kaber@trash.net> | 2006-01-10 02:00:07 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-01-30 22:42:30 -0800 |
commit | 988042953360dcc04a965965f08e11b7e8329328 (patch) | |
tree | 46cc93303a8bfd7db2f99e10d79f55eb8b55566f | |
parent | 7d5e09f7dc89aff4b6cfa42ca686f3b20eacfdbd (diff) |
[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)
When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c index 56e29fae641..4fe711c27ba 100644 --- a/net/ipv4/netfilter/ip_nat_helper_pptp.c +++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c @@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb, break; case PPTP_IN_CALL_REQUEST: /* only need to nat in case PAC is behind NAT box */ - break; + return NF_ACCEPT; case PPTP_WAN_ERROR_NOTIFY: pcid = &pptpReq->wanerr.peersCallID; break; |