diff options
author | Patrick McHardy <kaber@trash.net> | 2006-05-04 02:16:29 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-05-04 02:16:29 -0400 |
commit | 6fd737031eb6869430d0f3cf6bf1440adf7aedf5 (patch) | |
tree | f4dfd6500f1ba0b915531c3b340164e30328e20f /net/ipv4 | |
parent | e17df688f7064dae1417ce425dd1e4b71d24d63b (diff) |
[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
When the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.
Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_helper_h323.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c index 2c2fb700d835..518f581d39ec 100644 --- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c +++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c | |||
@@ -162,6 +162,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct, | |||
162 | 162 | ||
163 | /* Validate TPKT length */ | 163 | /* Validate TPKT length */ |
164 | tpktlen = tpkt[2] * 256 + tpkt[3]; | 164 | tpktlen = tpkt[2] * 256 + tpkt[3]; |
165 | if (tpktlen < 4) | ||
166 | goto clear_out; | ||
165 | if (tpktlen > tcpdatalen) { | 167 | if (tpktlen > tcpdatalen) { |
166 | if (tcpdatalen == 4) { /* Separate TPKT header */ | 168 | if (tcpdatalen == 4) { /* Separate TPKT header */ |
167 | /* Netmeeting sends TPKT header and data separately */ | 169 | /* Netmeeting sends TPKT header and data separately */ |