[NETFILTER]: SCTP conntrack: fix crash triggered by packet without chunks

When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N David S. Miller <davem@davemloft.net>

[NETFILTER]: SCTP conntrack: fix crash triggered by packet without chunks
When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N David S. Miller <davem@davemloft.net>
dd7271fe · Patrick McHardy · David S. Miller · 2c6059bc · dd7271fe · dd7271fe
显示空白变更内容
内联并排

Showing with 2 addition and 2 deletion

net/ipv4/netfilter/ip_conntrack_proto_sctp.c net/ipv4/netfilter/ip_conntrack_proto_sctp.c +1 -1

net/netfilter/nf_conntrack_proto_sctp.c net/netfilter/nf_conntrack_proto_sctp.c +1 -1

未找到文件。
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -254,7 +254,7 @@ static int do_basic_checks(struct ip_conntrack *conntrack,
 	}
 	DEBUGP("Basic checks passed\n");
-	return 0;
+	return count == 0;
 }
 static int new_state(enum ip_conntrack_dir dir,

--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -261,7 +261,7 @@ static int do_basic_checks(struct nf_conn *conntrack,
 	}
 	DEBUGP("Basic checks passed\n");
-	return 0;
+	return count == 0;
 }
 static int new_state(enum ip_conntrack_dir dir,