* [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
@ 2007-07-05 18:42 Patrick McHardy
2007-07-06 0:05 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2007-07-05 18:42 UTC (permalink / raw)
To: David S. Miller; +Cc: security, Netfilter Development Mailinglist, stable
[-- Attachment #1: Type: text/plain, Size: 141 bytes --]
Fix a remotely triggerable crash in the netfilter H.323 connection
tracking helper. Patch applies to stable 2.6.20/2.6.21 and current
-git.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1610 bytes --]
[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
Choices' index values may be out of range while still encoded in the fixed
length bit-field. This bug may cause access to undefined types (NULL
pointers) and thus crashes (Reported by Zhongling Wen).
This patch also adds checking of decode flag when decoding SEQUENCEs.
Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5e8b2229d2d2bdbc4c05e4b3176d5054efe6b146
tree f99e5a063dac012f3caea6e78d3f73d64d1e576a
parent 190045d53b9a8341e8600d6eb468b6081e903afb
author Patrick McHardy <kaber@trash.net> Thu, 05 Jul 2007 20:30:59 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 05 Jul 2007 20:30:59 +0200
net/netfilter/nf_conntrack_h323_asn1.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index f6fad71..6b7eaa0 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
CHECK_BOUND(bs, 2);
len = get_len(bs);
CHECK_BOUND(bs, len);
- if (!base) {
+ if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
" ", son->name);
bs->cur += len;
@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
} else {
ext = 0;
type = get_bits(bs, f->sz);
+ if (type >= f->lb)
+ return H323_ERROR_RANGE;
}
/* Write Type */
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
2007-07-05 18:42 [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values Patrick McHardy
@ 2007-07-06 0:05 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2007-07-06 0:05 UTC (permalink / raw)
To: kaber; +Cc: security, netfilter-devel, stable
From: Patrick McHardy <kaber@trash.net>
Date: Thu, 05 Jul 2007 20:42:14 +0200
> Fix a remotely triggerable crash in the netfilter H.323 connection
> tracking helper. Patch applies to stable 2.6.20/2.6.21 and current
> -git.
Applied, thanks Patrick.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-07-06 0:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-05 18:42 [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values Patrick McHardy
2007-07-06 0:05 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.