[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jing Min Zhao <zhaojingmin@hotmail.com>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: [NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
Date: Fri, 28 Apr 2006 16:18:59 +0200	[thread overview]
Message-ID: <44522453.2040401@trash.net> (raw)

[-- Attachment #1: Type: text/plain, Size: 198 bytes --]

I ran the PROTOS c07-h2250v4 testsuite against the H.323 helper today
and found two bugs. I'm sending you both patches for review, if you
don't object I'll push them upstream in a couple of hours.


[-- Attachment #2: x1 --]
[-- Type: text/plain, Size: 1275 bytes --]

[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len

Then the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.

Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5074fd5f2344bc58355868c75c8abcd4145cde84
tree e99ca72642028c42ef67852b4584b6fef1ebe98a
parent c257fd2cb88fe09a510c696e4bbd442a4ee9f6fe
author Patrick McHardy <kaber@trash.net> Fri, 28 Apr 2006 11:35:55 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 28 Apr 2006 11:35:55 +0200

 net/ipv4/netfilter/ip_conntrack_helper_h323.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 2c2fb70..518f581 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -162,6 +162,8 @@ static int get_tpkt_data(struct sk_buff 
 
 	/* Validate TPKT length */
 	tpktlen = tpkt[2] * 256 + tpkt[3];
+	if (tpktlen < 4)
+		goto clear_out;
 	if (tpktlen > tcpdatalen) {
 		if (tcpdatalen == 4) {	/* Separate TPKT header */
 			/* Netmeeting sends TPKT header and data separately */

                 reply	other threads:[~2006-04-28 14:18 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2c2fb70 dfblob:518f581 )
 OR (
bs:"[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44522453.2040401@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=zhaojingmin@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.