blob: ff033aa7d2e7703a428b914ed88306fe132c4a9d [file] [log] [blame]
From b4232a22776aa5d063f890d21ca69870dbbe431b Mon Sep 17 00:00:00 2001
From: David Sterba <>
Date: Mon, 4 Apr 2011 15:21:02 +0200
Subject: netfilter: h323: bug in parsing of ASN1 SEQOF field
From: David Sterba <>
commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream.
Static analyzer of clang found a dead store which appears to be a bug in
reading count of items in SEQOF field, only the lower byte of word is
stored. This may lead to corrupted read and communication shutdown.
The bug has been in the module since it's first inclusion into linux
[Patrick: the bug is real, but without practical consequence since the
largest amount of sequence-of members we parse is 30.]
Signed-off-by: David Sterba <>
Signed-off-by: Patrick McHardy <>
Signed-off-by: Greg Kroah-Hartman <>
net/netfilter/nf_conntrack_h323_asn1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, co
count = *bs->cur++;
count <<= 8;
- count = *bs->cur++;
+ count += *bs->cur++;
case SEMI: