--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 5 11:42:31 2007
+Message-ID: <468D3B86.5020308@trash.net>
+Date: Thu, 05 Jul 2007 20:42:14 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, stable@kernel.org
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+From: Jing Min Zhao <zhaojingmin@vivecode.com>
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t *
+ CHECK_BOUND(bs, 2);
+ len = get_len(bs);
+ CHECK_BOUND(bs, len);
+- if (!base) {
++ if (!base || !(son->attr & DECODE)) {
+ PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ " ", son->name);
+ bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ } else {
+ ext = 0;
+ type = get_bits(bs, f->sz);
++ if (type >= f->lb)
++ return H323_ERROR_RANGE;
+ }
+
+ /* Write Type */
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 5 11:42:31 2007
+Message-ID: <468D3B86.5020308@trash.net>
+Date: Thu, 05 Jul 2007 20:42:14 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, stable@kernel.org
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+From: Jing Min Zhao <zhaojingmin@vivecode.com>
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t *
+ CHECK_BOUND(bs, 2);
+ len = get_len(bs);
+ CHECK_BOUND(bs, len);
+- if (!base) {
++ if (!base || !(son->attr & DECODE)) {
+ PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ " ", son->name);
+ bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ } else {
+ ext = 0;
+ type = get_bits(bs, f->sz);
++ if (type >= f->lb)
++ return H323_ERROR_RANGE;
+ }
+
+ /* Write Type */