diff options
| author | Jing Min Zhao <zhaojingmin@vivecode.com> | 2007-07-05 20:05:01 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-05 20:40:23 -0400 |
| commit | 25845b5155b55cd77e42655ec24161ba3feffa47 (patch) | |
| tree | 3afe286f19bd8af561ab6131914fb0df8c5ab862 /net | |
| parent | 2cd052e44329dd2b42eb958f8f346b053de6e2cd (diff) | |
[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
Choices' index values may be out of range while still encoded in the fixed
length bit-field. This bug may cause access to undefined types (NULL
pointers) and thus crashes (Reported by Zhongling Wen).
This patch also adds checking of decode flag when decoding SEQUENCEs.
Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_h323_asn1.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index f6fad713d484..6b7eaa019d4c 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c | |||
| @@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level) | |||
| 518 | CHECK_BOUND(bs, 2); | 518 | CHECK_BOUND(bs, 2); |
| 519 | len = get_len(bs); | 519 | len = get_len(bs); |
| 520 | CHECK_BOUND(bs, len); | 520 | CHECK_BOUND(bs, len); |
| 521 | if (!base) { | 521 | if (!base || !(son->attr & DECODE)) { |
| 522 | PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, | 522 | PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, |
| 523 | " ", son->name); | 523 | " ", son->name); |
| 524 | bs->cur += len; | 524 | bs->cur += len; |
| @@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level) | |||
| 704 | } else { | 704 | } else { |
| 705 | ext = 0; | 705 | ext = 0; |
| 706 | type = get_bits(bs, f->sz); | 706 | type = get_bits(bs, f->sz); |
| 707 | if (type >= f->lb) | ||
| 708 | return H323_ERROR_RANGE; | ||
| 707 | } | 709 | } |
| 708 | 710 | ||
| 709 | /* Write Type */ | 711 | /* Write Type */ |