summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2011-05-16 14:45:39 +0200
committerPatrick McHardy <kaber@trash.net>2011-05-16 14:45:39 +0200
commite6e4d9ed11fb1fab8b3256a3dc14d71b5e984ac4 (patch)
treece2b0eb33f0be2524529d6b6d6dfe1469559d2d3 /net
parentnetfilter: nf_ct_sip: validate Content-Length in TCP SIP messages (diff)
downloadlinux-e6e4d9ed11fb1fab8b3256a3dc14d71b5e984ac4.tar.xz
linux-e6e4d9ed11fb1fab8b3256a3dc14d71b5e984ac4.zip
netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones
Some Cisco phones do not place the Content-Length field at the end of the SIP message. This is valid, due to a misunderstanding of the specification the parser expects the SDP body to start directly after the Content-Length field. Fix the parser to scan for \r\n\r\n to locate the beginning of the SDP body. Reported-by: Teresa Kang <teresa_kang@gemtek.com.tw> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_sip.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 1f81abde131f..c05c0dc33499 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1419,6 +1419,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
const char *dptr, *end;
s16 diff, tdiff = 0;
int ret = NF_ACCEPT;
+ bool term;
typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
if (ctinfo != IP_CT_ESTABLISHED &&
@@ -1453,10 +1454,15 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
if (dptr + matchoff == end)
break;
- if (end + strlen("\r\n\r\n") > dptr + datalen)
- break;
- if (end[0] != '\r' || end[1] != '\n' ||
- end[2] != '\r' || end[3] != '\n')
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+ end[2] == '\r' && end[3] == '\n') {
+ term = true;
+ break;
+ }
+ }
+ if (!term)
break;
end += strlen("\r\n\r\n") + clen;