aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-05-23 18:07:07 -0400
committerDavid S. Miller <davem@sunset.sfo1.dsl.speakeasy.net>2006-05-23 18:15:08 -0400
commit7185989db4d926dbef1a2f638c464f35599c83e0 (patch)
treebea35167acbd7cc38dfc8b543833cf22f0e8b460
parent14ba3e7b3103a12b6f6a1057a1ecbfb15e1b48c0 (diff)
[NETFILTER]: H.323 helper: fix parser error propagation
The condition "> H323_ERROR_STOP" can never be true since H323_ERROR_STOP is positive and is the highest possible return code, while real errors are negative, fix the checks. Also only abort on real errors in some spots that were just interpreting any return value != 0 as error. Fixes crashes caused by use of stale data after a parsing error occured: BUG: unable to handle kernel paging request at virtual address bfffffff printing eip: c01aa0f8 *pde = 1a801067 *pte = 00000000 Oops: 0000 [#1] PREEMPT Modules linked in: ip_nat_h323 ip_conntrack_h323 nfsd exportfs sch_sfq sch_red cls_fw sch_hfsc xt_length ipt_owner xt_MARK iptable_mangle nfs lockd sunrpc pppoe pppoxx CPU: 0 EIP: 0060:[<c01aa0f8>] Not tainted VLI EFLAGS: 00210646 (2.6.17-rc4 #8) EIP is at memmove+0x19/0x22 eax: d77264e9 ebx: d77264e9 ecx: e88d9b17 edx: d77264e9 esi: bfffffff edi: bfffffff ebp: de6a7680 esp: c0349db8 ds: 007b es: 007b ss: 0068 Process asterisk (pid: 3765, threadinfo=c0349000 task=da068540) Stack: <0>00000006 c0349e5e d77264e3 e09a2b4e e09a38a0 d7726052 d7726124 00000491 00000006 00000006 00000006 00000491 de6a7680 d772601e d7726032 c0349f74 e09a2dc2 00000006 c0349e5e 00000006 00000000 d76dda28 00000491 c0349f74 Call Trace: [<e09a2b4e>] mangle_contents+0x62/0xfe [ip_nat] [<e09a2dc2>] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat] [<e0a2712d>] set_addr+0x74/0x14c [ip_nat_h323] [<e0ad531e>] process_setup+0x11b/0x29e [ip_conntrack_h323] [<e0ad534f>] process_setup+0x14c/0x29e [ip_conntrack_h323] [<e0ad57bd>] process_q931+0x3c/0x142 [ip_conntrack_h323] [<e0ad5dff>] q931_help+0xe0/0x144 [ip_conntrack_h323] ... Found by the PROTOS c07-h2250v4 testsuite. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c34
1 files changed, 19 insertions, 15 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
index 355a53a5b6cd..5d04438dda4b 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
@@ -528,14 +528,15 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
528 528
529 /* Decode */ 529 /* Decode */
530 if ((err = (Decoders[son->type]) (bs, son, base, 530 if ((err = (Decoders[son->type]) (bs, son, base,
531 level + 1)) > 531 level + 1)) <
532 H323_ERROR_STOP) 532 H323_ERROR_NONE)
533 return err; 533 return err;
534 534
535 bs->cur = beg + len; 535 bs->cur = beg + len;
536 bs->bit = 0; 536 bs->bit = 0;
537 } else if ((err = (Decoders[son->type]) (bs, son, base, 537 } else if ((err = (Decoders[son->type]) (bs, son, base,
538 level + 1))) 538 level + 1)) <
539 H323_ERROR_NONE)
539 return err; 540 return err;
540 } 541 }
541 542
@@ -584,8 +585,8 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
584 beg = bs->cur; 585 beg = bs->cur;
585 586
586 if ((err = (Decoders[son->type]) (bs, son, base, 587 if ((err = (Decoders[son->type]) (bs, son, base,
587 level + 1)) > 588 level + 1)) <
588 H323_ERROR_STOP) 589 H323_ERROR_NONE)
589 return err; 590 return err;
590 591
591 bs->cur = beg + len; 592 bs->cur = beg + len;
@@ -660,18 +661,20 @@ int decode_seqof(bitstr_t * bs, field_t * f, char *base, int level)
660 i < 661 i <
661 effective_count ? 662 effective_count ?
662 base : NULL, 663 base : NULL,
663 level + 1)) > 664 level + 1)) <
664 H323_ERROR_STOP) 665 H323_ERROR_NONE)
665 return err; 666 return err;
666 667
667 bs->cur = beg + len; 668 bs->cur = beg + len;
668 bs->bit = 0; 669 bs->bit = 0;
669 } else 670 } else
670 if ((err = (Decoders[son->type]) (bs, son, 671 if ((err = (Decoders[son->type]) (bs, son,
671 i < effective_count ? 672 i <
672 base : NULL, 673 effective_count ?
673 level + 1))) 674 base : NULL,
674 return err; 675 level + 1)) <
676 H323_ERROR_NONE)
677 return err;
675 678
676 if (base) 679 if (base)
677 base += son->offset; 680 base += son->offset;
@@ -735,13 +738,14 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
735 } 738 }
736 beg = bs->cur; 739 beg = bs->cur;
737 740
738 if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) > 741 if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) <
739 H323_ERROR_STOP) 742 H323_ERROR_NONE)
740 return err; 743 return err;
741 744
742 bs->cur = beg + len; 745 bs->cur = beg + len;
743 bs->bit = 0; 746 bs->bit = 0;
744 } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1))) 747 } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) <
748 H323_ERROR_NONE)
745 return err; 749 return err;
746 750
747 return H323_ERROR_NONE; 751 return H323_ERROR_NONE;