[NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
56b3d975bb
commit
99d24edeb6
|
@ -431,7 +431,8 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
|
|||
SCTP_CONNTRACK_NONE, sch->type);
|
||||
|
||||
/* Invalid: delete conntrack */
|
||||
if (newconntrack == SCTP_CONNTRACK_MAX) {
|
||||
if (newconntrack == SCTP_CONNTRACK_NONE ||
|
||||
newconntrack == SCTP_CONNTRACK_MAX) {
|
||||
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue