[NETFILTER]: {ip,nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>

[NETFILTER]: {ip,nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
de3b9c4f · Patrick McHardy · Adrian Bunk · 0343e394 · de3b9c4f · de3b9c4f
Commit de3b9c4f authored Jul 22, 2007 by Patrick McHardy Committed by Adrian Bunk Jul 22, 2007
Showing with 4 additions and 2 deletions

net/ipv4/netfilter/ip_conntrack_proto_sctp.c net/ipv4/netfilter/ip_conntrack_proto_sctp.c +2 -1

net/netfilter/nf_conntrack_proto_sctp.c net/netfilter/nf_conntrack_proto_sctp.c +2 -1

No files found.
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack *conntrack,
 						SCTP_CONNTRACK_NONE, sch->type);

 		/* Invalid: delete conntrack */
-		if (newconntrack == SCTP_CONNTRACK_MAX) {
+		if (newconntrack == SCTP_CONNTRACK_NONE ||
+		    newconntrack == SCTP_CONNTRACK_MAX) {
 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
 			return 0;
 		}

--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -467,7 +467,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
 					 SCTP_CONNTRACK_NONE, sch->type);

 		/* Invalid: delete conntrack */
-		if (newconntrack == SCTP_CONNTRACK_MAX) {
+		if (newconntrack == SCTP_CONNTRACK_NONE ||
+		    newconntrack == SCTP_CONNTRACK_MAX) {
 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
 			return 0;
 		}