Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

1 files changed, 12 insertions, 4 deletions

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 237cc1981b89..cb5a28581782 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1419,6 +1419,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
         const char *dptr, *end;
         s16 diff, tdiff = 0;
         int ret = NF_ACCEPT;
+        bool term;
         typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
         if (ctinfo != IP_CT_ESTABLISHED &&
@@ -1453,14 +1454,21 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                 if (dptr + matchoff == end)
                         break;
 
-                if (end + strlen("\r\n\r\n") > dptr + datalen)
-                        break;
-                if (end[0] != '\r' || end[1] != '\n' ||
-                    end[2] != '\r' || end[3] != '\n')
+                term = false;
+                for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+                        if (end[0] == '\r' && end[1] == '\n' &&
+                            end[2] == '\r' && end[3] == '\n') {
+                                term = true;
+                                break;
+                        }
+                }
+                if (!term)
                         break;
                 end += strlen("\r\n\r\n") + clen;
 
                 msglen = origlen = end - dptr;
+                if (msglen > datalen)
+                        return NF_DROP;
 
                 ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
                 if (ret != NF_ACCEPT)