aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJing Min Zhao <zhaojingmin@vivecode.com>2007-07-05 20:05:01 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-07-05 20:40:23 -0400
commit25845b5155b55cd77e42655ec24161ba3feffa47 (patch)
tree3afe286f19bd8af561ab6131914fb0df8c5ab862
parent2cd052e44329dd2b42eb958f8f346b053de6e2cd (diff)
[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
Choices' index values may be out of range while still encoded in the fixed length bit-field. This bug may cause access to undefined types (NULL pointers) and thus crashes (Reported by Zhongling Wen). This patch also adds checking of decode flag when decoding SEQUENCEs. Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netfilter/nf_conntrack_h323_asn1.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index f6fad713d484..6b7eaa019d4c 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
518 CHECK_BOUND(bs, 2); 518 CHECK_BOUND(bs, 2);
519 len = get_len(bs); 519 len = get_len(bs);
520 CHECK_BOUND(bs, len); 520 CHECK_BOUND(bs, len);
521 if (!base) { 521 if (!base || !(son->attr & DECODE)) {
522 PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, 522 PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
523 " ", son->name); 523 " ", son->name);
524 bs->cur += len; 524 bs->cur += len;
@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
704 } else { 704 } else {
705 ext = 0; 705 ext = 0;
706 type = get_bits(bs, f->sz); 706 type = get_bits(bs, f->sz);
707 if (type >= f->lb)
708 return H323_ERROR_RANGE;
707 } 709 }
708 710
709 /* Write Type */ 711 /* Write Type */