summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-05-04 08:16:29 +0200
committerDavid S. Miller <davem@davemloft.net>2006-05-04 08:16:29 +0200
commit6fd737031eb6869430d0f3cf6bf1440adf7aedf5 (patch)
treef4dfd6500f1ba0b915531c3b340164e30328e20f /net
parent[NETFILTER] SCTP conntrack: fix infinite loop (diff)
downloadlinux-6fd737031eb6869430d0f3cf6bf1440adf7aedf5.tar.xz
linux-6fd737031eb6869430d0f3cf6bf1440adf7aedf5.zip
[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
When the TPKT len included in the packet is below the lowest valid value of 4 an underflow occurs which results in an endless loop. Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ip_conntrack_helper_h323.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 2c2fb700d835..518f581d39ec 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -162,6 +162,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
/* Validate TPKT length */
tpktlen = tpkt[2] * 256 + tpkt[3];
+ if (tpktlen < 4)
+ goto clear_out;
if (tpktlen > tcpdatalen) {
if (tcpdatalen == 4) { /* Separate TPKT header */
/* Netmeeting sends TPKT header and data separately */