--- /dev/null
+From MAILER-DAEMON Tue Jul 7 14:02:16 2020
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 09 Jun 2020 10:53:22 +0300
+Subject: netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6
+To: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
+Cc: Florian Westphal <fw@strlen.de>
+Message-ID: <c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com>
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+Could you please push this patch into stable@?
+it fixes memory corruption in kernels v3.5 .. v4.10
+
+Lost .data_len definition leads to write beyond end of
+struct nf_ct_h323_master. Usually it corrupts following
+struct nf_conn_nat, however if nat is not loaded it corrupts
+following slab object.
+
+In mainline this problem went away in v4.11,
+after commit 9f0f3ebeda47 ("netfilter: helpers: remove data_len usage
+for inkernel helpers") however many stable kernels are still affected.
+
+Fixes: 1afc56794e03 ("netfilter: nf_ct_helper: implement variable length helper private data") # v3.5
+cc: stable@vger.kernel.org
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_h323_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_conntrack_h323_main.c
++++ b/net/netfilter/nf_conntrack_h323_main.c
+@@ -1225,6 +1225,7 @@ static struct nf_conntrack_helper nf_con
+ {
+ .name = "Q.931",
+ .me = THIS_MODULE,
++ .data_len = sizeof(struct nf_ct_h323_master),
+ .tuple.src.l3num = AF_INET6,
+ .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
+ .tuple.dst.protonum = IPPROTO_TCP,
projects / thirdparty / kernel / stable-queue.git / commitdiff
