From b9d3e52e0e0f95ab5198ac20fbc47b3cb1a63407 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Mon, 19 Jun 2006 19:14:21 +0200 Subject: [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085) Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright --- net/netfilter/xt_sctp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 34bd87259a0..c29692c7ca1 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c @@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb, do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); - if (sch == NULL) { + if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0; -- cgit v1.2.3-18-g5258