[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)

When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c
index 56e29fae641b7588266e7bb0964c8f3ccd0808d7..4fe711c27ba83fc1cd3e1fb7763272ecd52b2f92 100644 (file)
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
                break;
        case PPTP_IN_CALL_REQUEST:
                /* only need to nat in case PAC is behind NAT box */
-               break;
+               return NF_ACCEPT;
        case PPTP_WAN_ERROR_NOTIFY:
                pcid = &pptpReq->wanerr.peersCallID;
                break;