summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-06-19 23:39:45 -0700
committerDavid S. Miller <davem@davemloft.net>2006-06-19 23:39:45 -0700
commitd3dcd4efe2ad1ad1865b2fe5c863c1ebd9482a84 (patch)
tree058379919390c78a18075fabf43e8fdd3d645418 /net
parent25f42b6af09e34c3f92107b36b5aa6edc2fdba2f (diff)
downloadlwn-d3dcd4efe2ad1ad1865b2fe5c863c1ebd9482a84.tar.gz
lwn-d3dcd4efe2ad1ad1865b2fe5c863c1ebd9482a84.zip
[NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length
Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/xt_sctp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b5110e5b54b0..9316c753692f 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -62,7 +62,7 @@ match_packet(const struct sk_buff *skb,
do {
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
- if (sch == NULL) {
+ if (sch == NULL || sch->length == 0) {
duprintf("Dropping invalid SCTP packet.\n");
*hotdrop = 1;
return 0;