| From b4232a22776aa5d063f890d21ca69870dbbe431b Mon Sep 17 00:00:00 2001 |
| From: David Sterba <dsterba@suse.cz> |
| Date: Mon, 4 Apr 2011 15:21:02 +0200 |
| Subject: netfilter: h323: bug in parsing of ASN1 SEQOF field |
| |
| From: David Sterba <dsterba@suse.cz> |
| |
| commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream. |
| |
| Static analyzer of clang found a dead store which appears to be a bug in |
| reading count of items in SEQOF field, only the lower byte of word is |
| stored. This may lead to corrupted read and communication shutdown. |
| |
| The bug has been in the module since it's first inclusion into linux |
| kernel. |
| |
| [Patrick: the bug is real, but without practical consequence since the |
| largest amount of sequence-of members we parse is 30.] |
| |
| Signed-off-by: David Sterba <dsterba@suse.cz> |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/netfilter/nf_conntrack_h323_asn1.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/netfilter/nf_conntrack_h323_asn1.c |
| +++ b/net/netfilter/nf_conntrack_h323_asn1.c |
| @@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, co |
| CHECK_BOUND(bs, 2); |
| count = *bs->cur++; |
| count <<= 8; |
| - count = *bs->cur++; |
| + count += *bs->cur++; |
| break; |
| case SEMI: |
| BYTE_ALIGN(bs); |