Commit 25845b51 authored by Jing Min Zhao's avatar Jing Min Zhao Committed by David S. Miller

[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values

Choices' index values may be out of range while still encoded in the fixed
length bit-field. This bug may cause access to undefined types (NULL
pointers) and thus crashes (Reported by Zhongling Wen).

This patch also adds checking of decode flag when decoding SEQUENCEs.
Signed-off-by: default avatarJing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2cd052e4
...@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level) ...@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
CHECK_BOUND(bs, 2); CHECK_BOUND(bs, 2);
len = get_len(bs); len = get_len(bs);
CHECK_BOUND(bs, len); CHECK_BOUND(bs, len);
if (!base) { if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
" ", son->name); " ", son->name);
bs->cur += len; bs->cur += len;
...@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level) ...@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
} else { } else {
ext = 0; ext = 0;
type = get_bits(bs, f->sz); type = get_bits(bs, f->sz);
if (type >= f->lb)
return H323_ERROR_RANGE;
} }
/* Write Type */ /* Write Type */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment