Commit 25845b51 authored Jul 05, 2007 by Jing Min Zhao Committed by David S. Miller Jul 05, 2007

[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values



Choices' index values may be out of range while still encoded in the fixed
length bit-field. This bug may cause access to undefined types (NULL
pointers) and thus crashes (Reported by Zhongling Wen).

This patch also adds checking of decode flag when decoding SEQUENCEs.

Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 2cd052e4

net/netfilter/nf_conntrack_h323_asn1.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
		CHECK_BOUND(bs, 2);
		len = get_len(bs);
		CHECK_BOUND(bs, len);
		if (!base) {
		if (!base \|\| !(son->attr & DECODE)) {
		PRINT("%.s%s\n", (level + 1) TAB_SIZE,
		" ", son->name);
		bs->cur += len;
		@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
		} else {
		ext = 0;
		type = get_bits(bs, f->sz);
		if (type >= f->lb)
		return H323_ERROR_RANGE;
		}

		/* Write Type */