netfilter: Fix for SIP crashes when handling Segmented messages

	int msg_length[SIP_LIST_ELEMENTS];

	int skb_len[SIP_LIST_ELEMENTS];

	int data_len[SIP_LIST_ELEMENTS];

	int orig_data_len[SIP_LIST_ELEMENTS];

};

/* per conntrack: protocol private data */

	struct list_head sip_segment_list;

	const char *dptr_prev;

	bool dir_prev;

	struct sip_length segment;

	bool sip_original_dir;

	bool sip_reply_dir;

static int sip_direct_media = 1;

static unsigned nf_ct_enable_sip_segmentation;

static int packet_count;

static bool split_skb;

static

int proc_sip_segment(struct ctl_table *ctl, int write,

		     void __user *buffer, size_t *lenp, loff_t *ppos);

 */

static bool sip_save_segment_info(struct nf_conn *ct, struct sk_buff *skb,

				  unsigned int msglen, unsigned int datalen,

				  const char *dptr,

				  unsigned int datalen_orig, const char *dptr,

				  enum ip_conntrack_info ctinfo)

{

	enum ip_conntrack_dir dir = IP_CT_DIR_MAX;

			ct->segment.msg_length[0] = msglen;

			ct->segment.data_len[0] = datalen;

			ct->segment.skb_len[0] = skb->len;

			ct->segment.orig_data_len[0] = datalen_orig;

			ct->dptr_prev = dptr;

			ct->dir_prev = dir;

			ct->sip_original_dir = 1;

			skip = false;

		}

			ct->segment.msg_length[1] = msglen;

			ct->segment.data_len[1] = datalen;

			ct->segment.skb_len[1] = skb->len;

			ct->segment.orig_data_len[1] = datalen_orig;

			ct->dptr_prev = dptr;

			ct->dir_prev = dir;

			ct->sip_reply_dir = 1;

			skip = false;

		}

	return skip;

}

static bool sip_calculate_sequence_num(struct nf_conn *ct,

				       struct sk_buff **skb_ref,

				       enum ip_conntrack_info ctinfo)

{

	struct list_head *list_trav_node;

	struct list_head *list_backup_node;

	struct nf_conn *ct_list;

	enum ip_conntrack_info ctinfo_list;

	enum ip_conntrack_dir dir_list;

	enum ip_conntrack_dir dir = IP_CT_DIR_MAX;

	const struct tcphdr *th_old;

	unsigned int prev_data_len;

	unsigned int seq_no, seq_old, exp_seq_no;

	const struct tcphdr *th_new;

	struct sip_list *sip_entry = NULL;

	int orig_data_len = 0;

	int reply_data_len = 0;

	th_new = (struct tcphdr *)(skb_network_header(*skb_ref) +

		ip_hdrlen(*skb_ref));

	seq_no = ntohl(th_new->seq);

	dir = CTINFO2DIR(ctinfo);

	/* traverse the list it would have 1 or 2 elements. 1 element per

	 * direction at max

	 */

	list_for_each_safe(list_trav_node, list_backup_node,

			   &ct->sip_segment_list){

		sip_entry = list_entry(list_trav_node, struct sip_list, list);

		ct_list = nf_ct_get(sip_entry->entry->skb, &ctinfo_list);

		dir_list = CTINFO2DIR(ctinfo_list);

		/* take an element and check if its direction matches with the

		 * current one

		 */

		if (dir_list == dir) {

			/* once we have the two elements to be combined we do

			 * another check. match the next expected seq no of the

			 * packet in the list with the seq no of the current

			 * packet.this is to be protected  against out of order

			 * fragments

			 */

			th_old = ((struct tcphdr *)(skb_network_header

				(sip_entry->entry->skb) +

				ip_hdrlen(sip_entry->entry->skb)));

			orig_data_len = ct->segment.orig_data_len[0];

			reply_data_len = ct->segment.orig_data_len[1];

			prev_data_len = (dir == IP_CT_DIR_ORIGINAL) ?

			 orig_data_len : reply_data_len;

			seq_old = (ntohl(th_old->seq));

			exp_seq_no = seq_old+prev_data_len;

			if (exp_seq_no == seq_no)

				return true;

			else

				return false;

		}

	}

	return false;

}

static struct sip_list *sip_coalesce_segments(struct nf_conn *ct,

					      struct sk_buff **skb_ref,

					      unsigned int dataoff,

	bool fragstolen = false;

	int delta_truesize = 0;

	struct sip_list *sip_entry = NULL;

	int orig_data_len = 0;

	int reply_data_len = 0;

	th_new = (struct tcphdr *)(skb_network_header(*skb_ref) +

		ip_hdrlen(*skb_ref));

			th_old = ((struct tcphdr *)(skb_network_header

				(sip_entry->entry->skb) +

				ip_hdrlen(sip_entry->entry->skb)));

			orig_data_len = ct->segment.orig_data_len[0];

			reply_data_len = ct->segment.orig_data_len[1];

			prev_data_len = (dir == IP_CT_DIR_ORIGINAL) ?

			 ct->segment.data_len[0] : ct->segment.data_len[1];

			 orig_data_len : reply_data_len;

			seq_old = (ntohl(th_old->seq));

			exp_seq_no = seq_old+prev_data_len;

	s16 diff, tdiff = 0;

	int ret = NF_ACCEPT;

	bool term;

	unsigned int datalen = 0, msglen = 0, origlen = 0;

	unsigned int dataoff_orig = 0;

	unsigned int datalen = 0, msglen = 0, origlen = 0, partialdatalen = 0;

	unsigned int dataoff_orig = 0, datalen_orig = 0;

	unsigned int splitlen, oldlen, oldlen1;

	struct sip_list *sip_entry = NULL;

	bool skip_sip_process = false;

	bool skip = false;

	bool skb_is_combined = false;

	enum ip_conntrack_dir dir = IP_CT_DIR_MAX;

	struct sk_buff *combined_skb = NULL;

	struct sk_buff *combined_skb = NULL, *tskb = NULL;

	bool content_len_exists = 1;

	unsigned int len_skb = 0;

	struct sk_buff *nskb = NULL;

	packet_count++;

	pr_debug("packet count %d\n", packet_count);

	dptr = skb->data + dataoff;

	datalen = skb->len - dataoff;

	datalen_orig = datalen;

	if (datalen < strlen("SIP/2.0 200"))

		return NF_ACCEPT;

	if (!ct)

		return NF_DROP;

	dir = CTINFO2DIR(ctinfo);

sip_header_process:

	while (1) {

		if (ct_sip_get_header(ct, dptr, 0, datalen,

				      SIP_HDR_CONTENT_LENGTH,

				break;

			}

		}

		/* If the below condition is true it indicates packet

		 * is already present in Queue and we ve received a

		 * packet with content length field present which needs

		 * special handling.

		 */

		if ((dir == ct->dir_prev) &&

		    (ct->sip_original_dir || ct->sip_reply_dir) &&

		    sip_calculate_sequence_num(ct, &skb, ctinfo)) {

				/* Make a Copy of the skb for further

				 * use and make sure to free it

				 */

				nskb = skb_copy(skb, GFP_ATOMIC);

				if (!nskb) {

					pr_err("Cannot create SKB copy\n");

					return NF_DROP;

				}

				split_skb = true;

		}

		clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);

		if (dptr + matchoff == end) {

			break;

			msglen = origlen;

		}

		pr_debug("mslgen %d datalen %d\n", msglen, datalen);

		if (!strncasecmp(dptr, "MESSAGE", strlen("MESSAGE")))

			return NF_ACCEPT;

		dir = CTINFO2DIR(ctinfo);

		combined_skb = skb;

		if (nf_ct_enable_sip_segmentation) {

			/* Segmented Packet */

			if (msglen > datalen) {

				skip = sip_save_segment_info(ct, skb, msglen,

							     datalen, dptr,

							     datalen,

							     datalen_orig,

							     dptr,

							     ctinfo);

				if (!skip)

					return NF_QUEUE;

			/*Traverse the list if list non empty */

			if (((&ct->sip_segment_list)->next) !=

				(&ct->sip_segment_list)) {

				/* Combine segments if they are fragments of

				 *  the same message.

				/* Combine segments if they are

				 * fragments of the same message.

				 */

				tskb = skb;

				if (split_skb) {

					/* Adjust the second skb length

					 * and datalength to have only the

					 * trailing part of the fragmented

					 * SIP message

					 */

				sip_entry = sip_coalesce_segments(ct, &skb,

					partialdatalen =

					ct->segment.msg_length[dir] -

					ct->segment.data_len[dir];

					skb_trim(nskb, dataoff+partialdatalen);

					tskb = nskb;

				}

				sip_entry = sip_coalesce_segments(ct, &tskb,

								  dataoff,

								  &combined_skb,

							 &skip_sip_process,

							 do_not_process,

								  ctinfo,

							 &skb_is_combined);

				sip_update_params(dir, &msglen, &origlen, &dptr,

						  &datalen,

						  skb_is_combined, ct);

		}

		len_skb = combined_skb->len - splitlen;

		pr_debug("len to copy is %d\n", len_skb);

		if (!split_skb)

			skb_copy_from_linear_data_offset(combined_skb,

							 splitlen, skb->data,

							 len_skb);

		skb_split(combined_skb, skb, splitlen);

		/* Update the first SIP segment details */

		combined_skb->data_len = 0;

		combined_skb->len = splitlen;

		skb_set_tail_pointer(combined_skb, splitlen);

		/* Headers need to be recalculated since during SIP processing

		 * headers are calculated based on the change in length of the

		 * combined message

			nf_reinject(sip_entry->entry, NF_ACCEPT);

			kfree(sip_entry);

		}

		if (split_skb) {

			if (dir == IP_CT_DIR_ORIGINAL)

				ct->sip_original_dir = 0;

			else

				ct->sip_reply_dir = 0;

			kfree_skb(nskb);

			split_skb =  false;

			goto sip_header_process;

		}

		skb->len = (oldlen1 + protoff) + tdiff - dataoff_orig;

		/* After splitting, push the headers back to the first skb which

		 * were removed before combining the skbs.This moves the skb