2.6.39-stable review patch. If anyone has any objections, please let us know.
------------------ Content-Length: 813 Lines: 27 From: Patrick McHardy <[email protected]> [ Upstream commit 274ea0e2a4cdf18110e5931b8ecbfef6353e5293 ] Verify that the message length of a single SIP message, which is calculated based on the Content-Length field contained in the SIP message, does not exceed the packet boundaries. Signed-off-by: Patrick McHardy <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- net/netfilter/nf_conntrack_sip.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -1461,6 +1461,8 @@ static int sip_help_tcp(struct sk_buff * end += strlen("\r\n\r\n") + clen; msglen = origlen = end - dptr; + if (msglen > datalen) + return NF_DROP; ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen); if (ret != NF_ACCEPT) _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
