Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=25845b5155b55cd77e42655ec24161ba3feffa47
Commit:     25845b5155b55cd77e42655ec24161ba3feffa47
Parent:     2cd052e44329dd2b42eb958f8f346b053de6e2cd
Author:     Jing Min Zhao <[EMAIL PROTECTED]>
AuthorDate: Thu Jul 5 17:05:01 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Thu Jul 5 17:40:23 2007 -0700

    [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' 
index values
    
    Choices' index values may be out of range while still encoded in the fixed
    length bit-field. This bug may cause access to undefined types (NULL
    pointers) and thus crashes (Reported by Zhongling Wen).
    
    This patch also adds checking of decode flag when decoding SEQUENCEs.
    
    Signed-off-by: Jing Min Zhao <[EMAIL PROTECTED]>
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/netfilter/nf_conntrack_h323_asn1.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c 
b/net/netfilter/nf_conntrack_h323_asn1.c
index f6fad71..6b7eaa0 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int 
level)
                        CHECK_BOUND(bs, 2);
                        len = get_len(bs);
                        CHECK_BOUND(bs, len);
-                       if (!base) {
+                       if (!base || !(son->attr & DECODE)) {
                                PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
                                      " ", son->name);
                                bs->cur += len;
@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, 
int level)
        } else {
                ext = 0;
                type = get_bits(bs, f->sz);
+               if (type >= f->lb)
+                       return H323_ERROR_RANGE;
        }
 
        /* Write Type */
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to