Commit 15db3470 authored Jan 09, 2006 by Patrick McHardy Committed by David S. Miller Jan 10, 2006

[NETFILTER]: Fix crash in ip_nat_pptp



When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent bb94aa16

net/ipv4/netfilter/ip_nat_helper_pptp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -315,7 +315,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
		break;
		case PPTP_IN_CALL_REQUEST:
		/* only need to nat in case PAC is behind NAT box */
		break;
		return NF_ACCEPT;
		case PPTP_WAN_ERROR_NOTIFY:
		pcid = &pptpReq->wanerr.peersCallID;
		break;