[NETFILTER]: Fix crash in ip_nat_pptp

When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c
index e546203f56625c5c52be817075818e674817b5ac..8ad7b36e242d1499355fdf4b42ddc6046f939ab4 100644 (file)
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -315,7 +315,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
                break;
        case PPTP_IN_CALL_REQUEST:
                /* only need to nat in case PAC is behind NAT box */
-               break;
+               return NF_ACCEPT;
        case PPTP_WAN_ERROR_NOTIFY:
                pcid = &pptpReq->wanerr.peersCallID;
                break;