Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e6e4d9ed authored by Patrick McHardy's avatar Patrick McHardy
Browse files

netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones 



Some Cisco phones do not place the Content-Length field at the end of the
SIP message. This is valid, due to a misunderstanding of the specification
the parser expects the SDP body to start directly after the Content-Length
field. Fix the parser to scan for \r\n\r\n to locate the beginning of the
SDP body.

Reported-by: default avatarTeresa Kang <teresa_kang@gemtek.com.tw>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 274ea0e2

net/netfilter/nf_conntrack_sip.c

+10 −4
Original line number Diff line number Diff line
@@ -1419,6 +1419,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, 
	const char *dptr, *end;

	s16 diff, tdiff = 0;

	int ret = NF_ACCEPT;

	bool term;

	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;



	if (ctinfo != IP_CT_ESTABLISHED &&
@@ -1453,10 +1454,15 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, 
		if (dptr + matchoff == end)

			break;



		if (end + strlen("\r\n\r\n") > dptr + datalen)

		term = false;

		for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {

			if (end[0] == '\r' && end[1] == '\n' &&

			    end[2] == '\r' && end[3] == '\n') {

				term = true;

				break;

		if (end[0] != '\r' || end[1] != '\n' ||

		    end[2] != '\r' || end[3] != '\n')

			}

		}

		if (!term)

			break;

		end += strlen("\r\n\r\n") + clen;