[NETFILTER]: H.323 helper: fix sequence extension parsing

[NETFILTER]: H.323 helper: fix sequence extension parsing

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 96 bytes --]

Doesn't really fix the crash I was seeing, but does hide it away :)
Anyway, its a real bug ...


[-- Attachment #2: 02.diff --]
[-- Type: text/plain, Size: 1244 bytes --]

[NETFILTER]: H.323 helper: fix sequence extension parsing

When parsing unknown sequence extensions the "son"-pointer points behind
the last known extension for this type, don't try to interpret it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b3199d41dfddb7521bcc09ab0fc9925b5702c954
tree 7da1d63f6fa658506616cba8621dd1c348ef0c31
parent 27ce42efc29f421d4238c426769f057dd384bd14
author Patrick McHardy <kaber@trash.net> Mon, 22 May 2006 12:40:03 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 22 May 2006 12:40:03 +0200

 net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
index 5f4d114..11862f1 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
@@ -555,7 +555,7 @@ int decode_seq(bitstr_t * bs, field_t * 
 
 	/* Decode the extension components */
 	for (opt = 0; opt < bmp2_len; opt++, i++, son++) {
-		if (son->attr & STOP) {
+		if (i < f->ub && son->attr & STOP) {
 			PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
 			      son->name);
 			return H323_ERROR_STOP;

Re: [NETFILTER]: H.323 helper: fix sequence extension parsing

[Jing Min Zhao]

This is really a stupid bug. Thank you, Patrick.

> Doesn't really fix the crash I was seeing, but does hide it away :)

Can you please explain why? As I understand, it should've fixed
the crash.

Thanks,

Jing Min Zhao


----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Jing Min Zhao" <zhaojingmin@users.sourceforge.net>
Cc: "Netfilter Development Mailinglist" 
<netfilter-devel@lists.netfilter.org>
Sent: Monday, May 22, 2006 6:46 AM
Subject: [NETFILTER]: H.323 helper: fix sequence extension parsing


> Doesn't really fix the crash I was seeing, but does hide it away :)
> Anyway, its a real bug ...
>
>


--------------------------------------------------------------------------------


> [NETFILTER]: H.323 helper: fix sequence extension parsing
>
> When parsing unknown sequence extensions the "son"-pointer points behind
> the last known extension for this type, don't try to interpret it.
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
>
> ---
> commit b3199d41dfddb7521bcc09ab0fc9925b5702c954
> tree 7da1d63f6fa658506616cba8621dd1c348ef0c31
> parent 27ce42efc29f421d4238c426769f057dd384bd14
> author Patrick McHardy <kaber@trash.net> Mon, 22 May 2006 12:40:03 +0200
> committer Patrick McHardy <kaber@trash.net> Mon, 22 May 2006 12:40:03 
> +0200
>
> net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c |    2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c 
> b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
> index 5f4d114..11862f1 100644
> --- a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
> +++ b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
> @@ -555,7 +555,7 @@ int decode_seq(bitstr_t * bs, field_t *
>
>  /* Decode the extension components */
>  for (opt = 0; opt < bmp2_len; opt++, i++, son++) {
> - if (son->attr & STOP) {
> + if (i < f->ub && son->attr & STOP) {
>  PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
>        son->name);
>  return H323_ERROR_STOP;
> 

Re: [NETFILTER]: H.323 helper: fix sequence extension parsing

[Patrick McHardy]

Jing Min Zhao wrote:
> This is really a stupid bug. Thank you, Patrick.
> 
>> Doesn't really fix the crash I was seeing, but does hide it away :)
> 
> 
> Can you please explain why? As I understand, it should've fixed
> the crash.

I think the reason why it make the crash go away is because the
packets contained a long stream of malformed unknown extensions.
When the son pointer went past the array of field_t elements it
hit the next array, which contained elements marked STOP, so it
aborted parsing and didn't got to the point where it would have
noticed the malformed extensions. By changing it not to run past
the array it aborted properly, hiding the real reason for the
crash (my other patch).

Re: [NETFILTER]: H.323 helper: fix sequence extension parsing

[Jing Min Zhao]

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Jing Min Zhao" <zhaojingmin@hotmail.com>
Cc: "Netfilter Development Mailinglist" <netfilter-devel@lists.netfilter.org>; "Jing Min Zhao" <zhaojingmin@users.sourceforge.net>
Sent: Tuesday, May 23, 2006 5:20 AM
Subject: Re: [NETFILTER]: H.323 helper: fix sequence extension parsing


> Jing Min Zhao wrote:
>> This is really a stupid bug. Thank you, Patrick.
>> 
>>> Doesn't really fix the crash I was seeing, but does hide it away :)
>> 
>> 
>> Can you please explain why? As I understand, it should've fixed
>> the crash.
> 
> I think the reason why it make the crash go away is because the
> packets contained a long stream of malformed unknown extensions.
> When the son pointer went past the array of field_t elements it
> hit the next array, which contained elements marked STOP, so it
> aborted parsing and didn't got to the point where it would have
> noticed the malformed extensions. By changing it not to run past
> the array it aborted properly, hiding the real reason for the
> crash (my other patch).
> 
> 
>
Sorry, I misunderstood. Yes, you are correct. Actually, we should never access
any member of pointer son if i >= f->ub.