Commit 99d24ede authored Jul 10, 2007 by Patrick McHardy Committed by David S. Miller Jul 10, 2007

[NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)



When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference
in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 56b3d975

net/netfilter/nf_conntrack_proto_sctp.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -431,7 +431,8 @@ static int sctp_new(struct nf_conn conntrack, const struct sk_buff skb,
		SCTP_CONNTRACK_NONE, sch->type);

		/* Invalid: delete conntrack */
		if (newconntrack == SCTP_CONNTRACK_MAX) {
		if (newconntrack == SCTP_CONNTRACK_NONE \|\|
		newconntrack == SCTP_CONNTRACK_MAX) {
		pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
		return 0;
		}