Commit:     99d24edeb6abc6ca3a0d0fbdb83c664c04403c8c
Parent:     56b3d975bbce65f655c5612b4822da671f9fd9b2
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Tue Jul 10 23:24:52 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Tue Jul 10 23:24:52 2007 -0700

    [NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr 
dereference (CVE-2007-2876)
    When creating a new connection by sending an unknown chunk type, we
    don't transition to a valid state, causing a NULL pointer dereference
    in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
    Fix by don't creating new conntrack entry if initial state is invalid.
    Noticed by Vilmos Nebehaj <[EMAIL PROTECTED]>
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
    Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
 net/netfilter/nf_conntrack_proto_sctp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_sctp.c 
index 265769e..debfe61 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -431,7 +431,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct 
sk_buff *skb,
                                         SCTP_CONNTRACK_NONE, sch->type);
                /* Invalid: delete conntrack */
-               if (newconntrack == SCTP_CONNTRACK_MAX) {
+               if (newconntrack == SCTP_CONNTRACK_NONE ||
+                   newconntrack == SCTP_CONNTRACK_MAX) {
                        pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
                        return 0;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to