Merge git://1984.lsi.us.es/nf

Pable Neira Ayuso says: ==================== The following five patches contain fixes for 3.6-rc, they are: * Two fixes for message parsing in the SIP conntrack helper, from Patrick McHardy. * One fix for the SIP helper introduced in the user-space cthelper infrastructure, from Patrick McHardy. * fix missing appropriate locking while modifying one conntrack entry from the nfqueue integration code, from myself. * fix possible access to uninitiliazed timer in the nf_conntrack expectation infrastructure, from myself. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2012-08-20 05:44:29 -0400
committer: David S. Miller <davem@davemloft.net> 2012-08-20 05:44:29 -0400
commit: 6c71bec66ae65305ba5c33c93aa722f21f092737 (patch)
tree: ab07e16e8047bea8343d6ad34f0d5377f369aef4 /net/ipv4
parent: c0de08d04215031d68fa13af36f347a6cfa252ca (diff)
parent: 2614f86490122bf51eb7c12ec73927f1900f4e7d (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index ea4a23813d26..4ad9cf173992 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
        if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
                                    hdr, NULL, &matchoff, &matchlen,
                                    &addr, &port) > 0) {
-                unsigned int matchend, poff, plen, buflen, n;
+                unsigned int olen, matchend, poff, plen, buflen, n;
                char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
                /* We're only interested in headers related to this
@@ -163,17 +163,18 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                                goto next;
                }
+                olen = *datalen;
                if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
                              &addr, port))
                        return NF_DROP;
-                matchend = matchoff + matchlen;
+                matchend = matchoff + matchlen + *datalen - olen;
                /* The maddr= parameter (RFC 2361) specifies where to send
                 * the reply. */
                if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                               "maddr=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, true) > 0 &&
                    addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
                    addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
                        buflen = sprintf(buffer, "%pI4",
@@ -187,7 +188,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                 * from which the server received the request. */
                if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                               "received=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, false) > 0 &&
                    addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
                    addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
                        buflen = sprintf(buffer, "%pI4",
author	David S. Miller <davem@davemloft.net>	2012-08-20 05:44:29 -0400
committer	David S. Miller <davem@davemloft.net>	2012-08-20 05:44:29 -0400
commit	6c71bec66ae65305ba5c33c93aa722f21f092737 (patch)
tree	ab07e16e8047bea8343d6ad34f0d5377f369aef4 /net/ipv4
parent	c0de08d04215031d68fa13af36f347a6cfa252ca (diff)
parent	2614f86490122bf51eb7c12ec73927f1900f4e7d (diff)