From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Sat, 7 Jul 2007 05:02:14 +0000 (-0700)
Subject: 2.6.20.15 and 2.6.21.6 releases
X-Git-Tag: v2.6.22.1~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=040125ac8b91a7f3f8b8bdb027656991e9f73f8c;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.20.15 and 2.6.21.6 releases
---

diff --git a/releases/2.6.20.15/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch b/releases/2.6.20.15/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch
new file mode 100644
index 00000000000..d3e2545ce79
--- /dev/null
+++ b/releases/2.6.20.15/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch
@@ -0,0 +1,47 @@
+From stable-bounces@linux.kernel.org Thu Jul  5 11:42:31 2007
+Message-ID: <468D3B86.5020308@trash.net>
+Date: Thu, 05 Jul 2007 20:42:14 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, stable@kernel.org
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+From: Jing Min Zhao <zhaojingmin@vivecode.com>
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_h323_asn1.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * 
+ 			CHECK_BOUND(bs, 2);
+ 			len = get_len(bs);
+ 			CHECK_BOUND(bs, len);
+-			if (!base) {
++			if (!base || !(son->attr & DECODE)) {
+ 				PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ 				      " ", son->name);
+ 				bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ 	} else {
+ 		ext = 0;
+ 		type = get_bits(bs, f->sz);
++		if (type >= f->lb)
++			return H323_ERROR_RANGE;
+ 	}
+ 
+ 	/* Write Type */
diff --git a/releases/2.6.21.6/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch b/releases/2.6.21.6/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch
new file mode 100644
index 00000000000..d3e2545ce79
--- /dev/null
+++ b/releases/2.6.21.6/nf_conntrack_h323-add-checking-of-out-of-range-on-choices-index-values.patch
@@ -0,0 +1,47 @@
+From stable-bounces@linux.kernel.org Thu Jul  5 11:42:31 2007
+Message-ID: <468D3B86.5020308@trash.net>
+Date: Thu, 05 Jul 2007 20:42:14 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>, stable@kernel.org
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+From: Jing Min Zhao <zhaojingmin@vivecode.com>
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_h323_asn1.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * 
+ 			CHECK_BOUND(bs, 2);
+ 			len = get_len(bs);
+ 			CHECK_BOUND(bs, len);
+-			if (!base) {
++			if (!base || !(son->attr & DECODE)) {
+ 				PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ 				      " ", son->name);
+ 				bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ 	} else {
+ 		ext = 0;
+ 		type = get_bits(bs, f->sz);
++		if (type >= f->lb)
++			return H323_ERROR_RANGE;
+ 	}
+ 
+ 	/* Write Type */