mirror of
https://github.com/joel16/android_kernel_sony_msm8994.git
synced 2024-11-28 22:51:06 +00:00
[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
Choices' index values may be out of range while still encoded in the fixed length bit-field. This bug may cause access to undefined types (NULL pointers) and thus crashes (Reported by Zhongling Wen). This patch also adds checking of decode flag when decoding SEQUENCEs. Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
2cd052e443
commit
25845b5155
@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
|
||||
CHECK_BOUND(bs, 2);
|
||||
len = get_len(bs);
|
||||
CHECK_BOUND(bs, len);
|
||||
if (!base) {
|
||||
if (!base || !(son->attr & DECODE)) {
|
||||
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
|
||||
" ", son->name);
|
||||
bs->cur += len;
|
||||
@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
|
||||
} else {
|
||||
ext = 0;
|
||||
type = get_bits(bs, f->sz);
|
||||
if (type >= f->lb)
|
||||
return H323_ERROR_RANGE;
|
||||
}
|
||||
|
||||
/* Write Type */
|
||||
|
Loading…
Reference in New Issue
Block a user