[thirdparty/kernel/stable-queue.git] / releases / 4.19.51 / netfilter-nf_conntrack_h323-restore-boundary-check-c.patch

From 0c6d6813636c21d797a1c3b3b70bac78277ed535 Mon Sep 17 00:00:00 2001
From: Jakub Jankowski <shasta@toxcorp.com>
Date: Thu, 25 Apr 2019 23:46:50 +0200
Subject: netfilter: nf_conntrack_h323: restore boundary check correctness

[ Upstream commit f5e85ce8e733c2547827f6268136b70b802eabdb ]

Since commit bc7d811ace4a ("netfilter: nf_ct_h323: Convert
CHECK_BOUND macro to function"), NAT traversal for H.323
doesn't work, failing to parse H323-UserInformation.
nf_h323_error_boundary() compares contents of the bitstring,
not the addresses, preventing valid H.323 packets from being
conntrack'd.

This looks like an oversight from when CHECK_BOUND macro was
converted to a function.

To fix it, stop dereferencing bs->cur and bs->end.

Fixes: bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function")
Signed-off-by: Jakub Jankowski <shasta@toxcorp.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 1601275efe2d..4c2ef42e189c 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -172,7 +172,7 @@ static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits)
 	if (bits % BITS_PER_BYTE > 0)
 		bytes++;
 
-	if (*bs->cur + bytes > *bs->end)
+	if (bs->cur + bytes > bs->end)
 		return 1;
 
 	return 0;
-- 
2.20.1
Commit	Line	Data
37554d48 SL	1	From 0c6d6813636c21d797a1c3b3b70bac78277ed535 Mon Sep 17 00:00:00 2001
	2	From: Jakub Jankowski <shasta@toxcorp.com>
	3	Date: Thu, 25 Apr 2019 23:46:50 +0200
	4	Subject: netfilter: nf_conntrack_h323: restore boundary check correctness
	5
	6	[ Upstream commit f5e85ce8e733c2547827f6268136b70b802eabdb ]
	7
	8	Since commit bc7d811ace4a ("netfilter: nf_ct_h323: Convert
	9	CHECK_BOUND macro to function"), NAT traversal for H.323
	10	doesn't work, failing to parse H323-UserInformation.
	11	nf_h323_error_boundary() compares contents of the bitstring,
	12	not the addresses, preventing valid H.323 packets from being
	13	conntrack'd.
	14
	15	This looks like an oversight from when CHECK_BOUND macro was
	16	converted to a function.
	17
	18	To fix it, stop dereferencing bs->cur and bs->end.
	19
	20	Fixes: bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function")
	21	Signed-off-by: Jakub Jankowski <shasta@toxcorp.com>
	22	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	23	Signed-off-by: Sasha Levin <sashal@kernel.org>
	24	---
	25	net/netfilter/nf_conntrack_h323_asn1.c \| 2 +-
	26	1 file changed, 1 insertion(+), 1 deletion(-)
	27
	28	diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
	29	index 1601275efe2d..4c2ef42e189c 100644
	30	--- a/net/netfilter/nf_conntrack_h323_asn1.c
	31	+++ b/net/netfilter/nf_conntrack_h323_asn1.c
	32	@@ -172,7 +172,7 @@ static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits)
	33	if (bits % BITS_PER_BYTE > 0)
	34	bytes++;
	35
	36	- if (bs->cur + bytes > bs->end)
	37	+ if (bs->cur + bytes > bs->end)
	38	return 1;
	39
	40	return 0;
	41	--
	42	2.20.1
	43