[NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length

Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length
Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy · David S. Miller
1 parent 25f42b6af0
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/netfilter/xt_sctp.c
@@ -62,7 +62,7 @@
  
 	do {
 		sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
-		if (sch == NULL) {
+		if (sch == NULL || sch->length == 0) {
 			duprintf("Dropping invalid SCTP packet.\n");
 			*hotdrop = 1;
 			return 0;
...	...	@@ -62,7 +62,7 @@
62	62
63	63	do {
64	64	sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
65		- if (sch == NULL) {
	65	+ if (sch == NULL \|\| sch->length == 0) {
66	66	duprintf("Dropping invalid SCTP packet.\n");
67	67	*hotdrop = 1;
68	68	return 0;