diff options
author | Patrick McHardy <kaber@trash.net> | 2006-06-19 19:14:21 +0200 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-06-20 01:54:53 -0700 |
commit | ab46ee26dc90c5608c0d51c33a029fe514c0a49d (patch) | |
tree | c7f67db86a1fc5a05f15556ab472e0ef9d25a31d | |
parent | 0ba239cc0ef0ebf9d38cd733754fcf657ae79b2b (diff) |
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
Fix endless loop in the SCTP match similar to those already fixed in the
SCTP conntrack helper (was CVE-2006-1527).
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
-rw-r--r-- | net/netfilter/xt_sctp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 10fbfc5ba75..23901824440 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c @@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb, do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); - if (sch == NULL) { + if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0; |