diff options
| author | Patrick McHardy <kaber@trash.net> | 2011-05-16 08:42:26 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2011-05-16 08:42:26 -0400 |
| commit | 274ea0e2a4cdf18110e5931b8ecbfef6353e5293 (patch) | |
| tree | d8d78f730253a0bd77a5e17557f4552005ba539b /net/netfilter | |
| parent | 74973f6fbfcd1b084c3ccc75b783a6dacac94a10 (diff) | |
netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages
Verify that the message length of a single SIP message, which is calculated
based on the Content-Length field contained in the SIP message, does not
exceed the packet boundaries.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index bcf47eb518ef..1f81abde131f 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
| @@ -1461,6 +1461,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, | |||
| 1461 | end += strlen("\r\n\r\n") + clen; | 1461 | end += strlen("\r\n\r\n") + clen; |
| 1462 | 1462 | ||
| 1463 | msglen = origlen = end - dptr; | 1463 | msglen = origlen = end - dptr; |
| 1464 | if (msglen > datalen) | ||
| 1465 | return NF_DROP; | ||
| 1464 | 1466 | ||
| 1465 | ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen); | 1467 | ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen); |
| 1466 | if (ret != NF_ACCEPT) | 1468 | if (ret != NF_ACCEPT) |