Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"
There is no bug. If sch->length == 0, this would result in an infinite
loop, but first caller, do_basic_checks(), errors out in this case.
After this change, packets with bogus zero-length chunks are no longer
detected as invalid, so revert & add comment wrt. 0 length check.
Fixes: 98ee007745
("netfilter: conntrack: fix bug in for_each_sctp_chunk")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
2b272bb558
commit
bd0e06f0de
|
@ -142,10 +142,11 @@ static void sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* do_basic_checks ensures sch->length > 0, do not use before */
|
||||||
#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
|
#define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
|
||||||
for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
|
for ((offset) = (dataoff) + sizeof(struct sctphdr), (count) = 0; \
|
||||||
((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))) && \
|
(offset) < (skb)->len && \
|
||||||
(sch)->length; \
|
((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
|
||||||
(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
|
(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
|
||||||
|
|
||||||
/* Some validity checks to make sure the chunks are fine */
|
/* Some validity checks to make sure the chunks are fine */
|
||||||
|
|
Loading…
Reference in New Issue