diff options
author | Florian Westphal <fw@strlen.de> | 2023-01-26 02:35:21 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-01-31 14:02:48 +0100 |
commit | bd0e06f0def75ba26572a94e5350324474a55562 (patch) | |
tree | f32e0ac561c3280b84dbe52581fac886fb815fe8 | |
parent | 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba (diff) | |
download | linux-stable-bd0e06f0def75ba26572a94e5350324474a55562.tar.gz linux-stable-bd0e06f0def75ba26572a94e5350324474a55562.tar.bz2 linux-stable-bd0e06f0def75ba26572a94e5350324474a55562.zip |
Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"
There is no bug. If sch->length == 0, this would result in an infinite
loop, but first caller, do_basic_checks(), errors out in this case.
After this change, packets with bogus zero-length chunks are no longer
detected as invalid, so revert & add comment wrt. 0 length check.
Fixes: 98ee00774525 ("netfilter: conntrack: fix bug in for_each_sctp_chunk")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 945dd40e7077..011d414038ea 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -142,10 +142,11 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) } #endif +/* do_basic_checks ensures sch->length > 0, do not use before */ #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \ - ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \ - (sch)->length; \ + (offset) < (skb)->len && \ + ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) /* Some validity checks to make sure the chunks are fine */ |