]>
Commit | Line | Data |
---|---|---|
37554d48 SL |
1 | From 0c6d6813636c21d797a1c3b3b70bac78277ed535 Mon Sep 17 00:00:00 2001 |
2 | From: Jakub Jankowski <shasta@toxcorp.com> | |
3 | Date: Thu, 25 Apr 2019 23:46:50 +0200 | |
4 | Subject: netfilter: nf_conntrack_h323: restore boundary check correctness | |
5 | ||
6 | [ Upstream commit f5e85ce8e733c2547827f6268136b70b802eabdb ] | |
7 | ||
8 | Since commit bc7d811ace4a ("netfilter: nf_ct_h323: Convert | |
9 | CHECK_BOUND macro to function"), NAT traversal for H.323 | |
10 | doesn't work, failing to parse H323-UserInformation. | |
11 | nf_h323_error_boundary() compares contents of the bitstring, | |
12 | not the addresses, preventing valid H.323 packets from being | |
13 | conntrack'd. | |
14 | ||
15 | This looks like an oversight from when CHECK_BOUND macro was | |
16 | converted to a function. | |
17 | ||
18 | To fix it, stop dereferencing bs->cur and bs->end. | |
19 | ||
20 | Fixes: bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function") | |
21 | Signed-off-by: Jakub Jankowski <shasta@toxcorp.com> | |
22 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
23 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
24 | --- | |
25 | net/netfilter/nf_conntrack_h323_asn1.c | 2 +- | |
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
27 | ||
28 | diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c | |
29 | index 1601275efe2d..4c2ef42e189c 100644 | |
30 | --- a/net/netfilter/nf_conntrack_h323_asn1.c | |
31 | +++ b/net/netfilter/nf_conntrack_h323_asn1.c | |
32 | @@ -172,7 +172,7 @@ static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits) | |
33 | if (bits % BITS_PER_BYTE > 0) | |
34 | bytes++; | |
35 | ||
36 | - if (*bs->cur + bytes > *bs->end) | |
37 | + if (bs->cur + bytes > bs->end) | |
38 | return 1; | |
39 | ||
40 | return 0; | |
41 | -- | |
42 | 2.20.1 | |
43 |