summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid Sterba <dsterba@suse.cz>2011-04-04 15:21:02 +0200
committerPatrick McHardy <kaber@trash.net>2011-04-04 15:21:02 +0200
commitb4232a22776aa5d063f890d21ca69870dbbe431b (patch)
tree81bcb79f87d7a36f37f347ef4c4ad95dc8678156 /net
parentnetfilter: ipset: references are protected by rwlock instead of mutex (diff)
downloadlinux-b4232a22776aa5d063f890d21ca69870dbbe431b.tar.xz
linux-b4232a22776aa5d063f890d21ca69870dbbe431b.zip
netfilter: h323: bug in parsing of ASN1 SEQOF field
Static analyzer of clang found a dead store which appears to be a bug in reading count of items in SEQOF field, only the lower byte of word is stored. This may lead to corrupted read and communication shutdown. The bug has been in the module since it's first inclusion into linux kernel. [Patrick: the bug is real, but without practical consequence since the largest amount of sequence-of members we parse is 30.] Signed-off-by: David Sterba <dsterba@suse.cz> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_h323_asn1.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 867882313e49..bcd5ed6b7130 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, const struct field_t *f,
CHECK_BOUND(bs, 2);
count = *bs->cur++;
count <<= 8;
- count = *bs->cur++;
+ count += *bs->cur++;
break;
case SEMI:
BYTE_ALIGN(bs);