[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)

When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmentic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)
When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmentic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
a81954fa · Patrick McHardy · Chris Wright · e7594b2f · a81954fa
Commit a81954fa authored Jan 10, 2006 by Patrick McHardy Committed by Chris Wright Jan 14, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/ipv4/netfilter/ip_nat_helper_pptp.c net/ipv4/netfilter/ip_nat_helper_pptp.c +1 -1

No files found.
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -315,7 +315,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
 		break;
 	case PPTP_IN_CALL_REQUEST:
 		/* only need to nat in case PAC is behind NAT box */
-		break;
+		return NF_ACCEPT;
 	case PPTP_WAN_ERROR_NOTIFY:
 		pcid = &pptpReq->wanerr.peersCallID;
 		break;