Commit bd0e06f0 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk" 



There is no bug.  If sch->length == 0, this would result in an infinite
loop, but first caller, do_basic_checks(), errors out in this case.

After this change, packets with bogus zero-length chunks are no longer
detected as invalid, so revert & add comment wrt. 0 length check.

Fixes: 98ee0077 ("netfilter: conntrack: fix bug in for_each_sctp_chunk")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 2b272bb5

net/netfilter/nf_conntrack_proto_sctp.c

+3 −2
Original line number Diff line number Diff line
@@ -142,10 +142,11 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct) 
}

#endif



/* do_basic_checks ensures sch->length > 0, do not use before */

#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count)	\

for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0;	\

	((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) &&	\

	(sch)->length;	\

	(offset) < (skb)->len &&					\

	((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch)));	\

	(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)



/* Some validity checks to make sure the chunks are fine */