diff options
author | Patrick McHardy <kaber@trash.net> | 2007-01-30 17:25:24 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-01-30 17:25:24 -0500 |
commit | adcb4711101dfef89d473f64a913089d303962ae (patch) | |
tree | c582cac3adbfd25fe09f91f9a62cfdbcfcb62714 | |
parent | 7da5bfbb12e327b3a347ee3e076957cd6564eb56 (diff) |
[NETFILTER]: SIP conntrack: fix out of bounds memory access
When checking for an @-sign in skp_epaddr_len, make sure not to
run over the packet boundaries.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_sip.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c index 571d27e20910..11c588a10e6b 100644 --- a/net/ipv4/netfilter/ip_conntrack_sip.c +++ b/net/ipv4/netfilter/ip_conntrack_sip.c | |||
@@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) | |||
292 | dptr++; | 292 | dptr++; |
293 | } | 293 | } |
294 | 294 | ||
295 | if (*dptr == '@') { | 295 | if (dptr <= limit && *dptr == '@') { |
296 | dptr++; | 296 | dptr++; |
297 | (*shift)++; | 297 | (*shift)++; |
298 | } else | 298 | } else |
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index c93fb37a54fc..9dec11534678 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
@@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, | |||
312 | dptr++; | 312 | dptr++; |
313 | } | 313 | } |
314 | 314 | ||
315 | if (*dptr == '@') { | 315 | if (dptr <= limit && *dptr == '@') { |
316 | dptr++; | 316 | dptr++; |
317 | (*shift)++; | 317 | (*shift)++; |
318 | } else | 318 | } else |