Commit 8b1d5859 authored by Patrick McHardy's avatar Patrick McHardy Committed by Greg Kroah-Hartman

NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
parent 7dcca30a
......@@ -460,7 +460,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
SCTP_CONNTRACK_NONE, sch->type);
/* Invalid: delete conntrack */
if (newconntrack == SCTP_CONNTRACK_MAX) {
if (newconntrack == SCTP_CONNTRACK_NONE ||
newconntrack == SCTP_CONNTRACK_MAX) {
DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment