[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)

Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

[PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
ab46ee26 · Patrick McHardy · Chris Wright · 0ba239cc · ab46ee26
Commit ab46ee26 authored Jun 19, 2006 by Patrick McHardy Committed by Chris Wright Jun 20, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/netfilter/xt_sctp.c net/netfilter/xt_sctp.c +1 -1

No files found.
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,

 	do {
 		sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
-		if (sch == NULL) {
+		if (sch == NULL || sch->length == 0) {
 			duprintf("Dropping invalid SCTP packet.\n");
 			*hotdrop = 1;
 			return 0;