netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones

Some Cisco phones do not place the Content-Length field at the end of the
SIP message. This is valid, due to a misunderstanding of the specification
the parser expects the SDP body to start directly after the Content-Length
field. Fix the parser to scan for \r\n\r\n to locate the beginning of the
SDP body.

Reported-by: Teresa Kang <teresa_kang@gemtek.com.tw>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 10 insertions, 4 deletions

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1f81abde131f..c05c0dc33499 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1419,6 +1419,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
         const char *dptr, *end;
         s16 diff, tdiff = 0;
         int ret = NF_ACCEPT;
+        bool term;
         typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
         if (ctinfo != IP_CT_ESTABLISHED &&
@@ -1453,10 +1454,15 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                 if (dptr + matchoff == end)
                         break;
 
-                if (end + strlen("\r\n\r\n") > dptr + datalen)
-                        break;
-                if (end[0] != '\r' || end[1] != '\n' ||
-                    end[2] != '\r' || end[3] != '\n')
+                term = false;
+                for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+                        if (end[0] == '\r' && end[1] == '\n' &&
+                            end[2] == '\r' && end[3] == '\n') {
+                                term = true;
+                                break;
+                        }
+                }
+                if (!term)
                         break;
                 end += strlen("\r\n\r\n") + clen;