From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jakub Jankowski <shasta@toxcorp.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 052/141] netfilter: nf_conntrack_h323: restore boundary check correctness
Date: Sat, 1 Jun 2019 09:20:28 -0400 [thread overview]
Message-ID: <20190601132158.25821-52-sashal@kernel.org> (raw)
In-Reply-To: <20190601132158.25821-1-sashal@kernel.org>
From: Jakub Jankowski <shasta@toxcorp.com>
[ Upstream commit f5e85ce8e733c2547827f6268136b70b802eabdb ]
Since commit bc7d811ace4a ("netfilter: nf_ct_h323: Convert
CHECK_BOUND macro to function"), NAT traversal for H.323
doesn't work, failing to parse H323-UserInformation.
nf_h323_error_boundary() compares contents of the bitstring,
not the addresses, preventing valid H.323 packets from being
conntrack'd.
This looks like an oversight from when CHECK_BOUND macro was
converted to a function.
To fix it, stop dereferencing bs->cur and bs->end.
Fixes: bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function")
Signed-off-by: Jakub Jankowski <shasta@toxcorp.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_h323_asn1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 1601275efe2d1..4c2ef42e189cb 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -172,7 +172,7 @@ static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits)
if (bits % BITS_PER_BYTE > 0)
bytes++;
- if (*bs->cur + bytes > *bs->end)
+ if (bs->cur + bytes > bs->end)
return 1;
return 0;
--
2.20.1
next prev parent reply other threads:[~2019-06-01 13:34 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-01 13:19 [PATCH AUTOSEL 4.19 001/141] rapidio: fix a NULL pointer dereference when create_workqueue() fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 002/141] fs/fat/file.c: issue flush after the writeback of FAT Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 003/141] sysctl: return -EINVAL if val violates minmax Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 004/141] ipc: prevent lockup on alloc_msg and free_msg Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 005/141] drm/pl111: Initialize clock spinlock early Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 006/141] ARM: prevent tracing IPI_CPU_BACKTRACE Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 007/141] mm/hmm: select mmu notifier when selecting HMM Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 008/141] hugetlbfs: on restore reserve error path retain subpool reservation Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 009/141] mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 010/141] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 011/141] initramfs: free initrd memory if opening /initrd.image fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 012/141] mm/cma.c: fix the bitmap status to show failed allocation reason Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 013/141] mm: page_mkclean vs MADV_DONTNEED race Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 014/141] mm/cma_debug.c: fix the break condition in cma_maxchunk_get() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 015/141] mm/slab.c: fix an infinite loop in leaks_show() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 016/141] kernel/sys.c: prctl: fix false positive in validate_prctl_map() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 017/141] thermal: rcar_gen3_thermal: disable interrupt in .remove Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 018/141] drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 019/141] mfd: tps65912-spi: Add missing of table registration Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 020/141] mfd: intel-lpss: Set the device in reset state when init Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 021/141] drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 022/141] mfd: twl6040: Fix device init errors for ACCCTL register Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 023/141] perf/x86/intel: Allow PEBS multi-entry in watermark mode Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 024/141] drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 025/141] drm/bridge: adv7511: Fix low refresh rate selection Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 026/141] objtool: Don't use ignore flag for fake jumps Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 027/141] drm/nouveau/kms/gv100-: fix spurious window immediate interlocks Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 028/141] bpf: fix undefined behavior in narrow load handling Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 029/141] EDAC/mpc85xx: Prevent building as a module Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 030/141] NFS4: Fix v4.0 client state corruption when mount Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 031/141] pwm: meson: Use the spin-lock only to protect register modifications Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 032/141] mailbox: stm32-ipcc: check invalid irq Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 033/141] ntp: Allow TAI-UTC offset to be set to zero Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 034/141] f2fs: fix to avoid panic in do_recover_data() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 035/141] f2fs: fix to avoid panic in f2fs_inplace_write_data() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 036/141] f2fs: fix to avoid panic in f2fs_remove_inode_page() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 037/141] f2fs: fix to do sanity check on free nid Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 038/141] f2fs: fix to clear dirty inode in error path of f2fs_iget() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 039/141] f2fs: fix to avoid panic in dec_valid_block_count() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 040/141] f2fs: fix to use inline space only if inline_xattr is enable Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 041/141] f2fs: fix to do sanity check on valid block count of segment Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 042/141] f2fs: fix to do checksum even if inode page is uptodate Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 043/141] percpu: remove spurious lock dependency between percpu and sched Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 044/141] tracing: Fix partial reading of trace event's id file Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 045/141] configfs: fix possible use-after-free in configfs_register_group Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 046/141] uml: fix a boot splat wrt use of cpu_all_mask Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 047/141] PCI: dwc: Free MSI in dw_pcie_host_init() error path Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 048/141] PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 049/141] ovl: do not generate duplicate fsnotify events for "fake" path Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 050/141] mmc: mmci: Prevent polling for busy detection in IRQ context Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 051/141] netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast Sasha Levin
2019-06-01 13:20 ` Sasha Levin [this message]
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 053/141] mips: Make sure dt memory regions are valid Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 054/141] netfilter: nf_tables: fix base chain stat rcu_dereference usage Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 055/141] watchdog: Use depends instead of select for pretimeout governors Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 056/141] watchdog: imx2_wdt: Fix set_timeout for big timeout values Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190601132158.25821-52-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=shasta@toxcorp.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).