aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-01-30 17:25:24 -0500
committerDavid S. Miller <davem@davemloft.net>2007-01-30 17:25:24 -0500
commitadcb4711101dfef89d473f64a913089d303962ae (patch)
treec582cac3adbfd25fe09f91f9a62cfdbcfcb62714
parent7da5bfbb12e327b3a347ee3e076957cd6564eb56 (diff)
[NETFILTER]: SIP conntrack: fix out of bounds memory access
When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/ip_conntrack_sip.c2
-rw-r--r--net/netfilter/nf_conntrack_sip.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 571d27e20910..11c588a10e6b 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift)
292 dptr++; 292 dptr++;
293 } 293 }
294 294
295 if (*dptr == '@') { 295 if (dptr <= limit && *dptr == '@') {
296 dptr++; 296 dptr++;
297 (*shift)++; 297 (*shift)++;
298 } else 298 } else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c93fb37a54fc..9dec11534678 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr,
312 dptr++; 312 dptr++;
313 } 313 }
314 314
315 if (*dptr == '@') { 315 if (dptr <= limit && *dptr == '@') {
316 dptr++; 316 dptr++;
317 (*shift)++; 317 (*shift)++;
318 } else 318 } else