提交 99d24ede 编写于 作者: P Patrick McHardy 提交者: David S. Miller

[NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference
in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NChris Wright <chrisw@sous-sol.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 56b3d975
...@@ -431,7 +431,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb, ...@@ -431,7 +431,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
SCTP_CONNTRACK_NONE, sch->type); SCTP_CONNTRACK_NONE, sch->type);
/* Invalid: delete conntrack */ /* Invalid: delete conntrack */
if (newconntrack == SCTP_CONNTRACK_MAX) { if (newconntrack == SCTP_CONNTRACK_NONE ||
newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0; return 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册