diff options
author | Patrick McHardy <kaber@trash.net> | 2006-05-03 23:16:29 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-05-03 23:16:29 -0700 |
commit | 6fd737031eb6869430d0f3cf6bf1440adf7aedf5 (patch) | |
tree | f4dfd6500f1ba0b915531c3b340164e30328e20f | |
parent | e17df688f7064dae1417ce425dd1e4b71d24d63b (diff) |
[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len
When the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.
Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_helper_h323.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c index 2c2fb700d83..518f581d39e 100644 --- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c +++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c @@ -162,6 +162,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct, /* Validate TPKT length */ tpktlen = tpkt[2] * 256 + tpkt[3]; + if (tpktlen < 4) + goto clear_out; if (tpktlen > tcpdatalen) { if (tcpdatalen == 4) { /* Separate TPKT header */ /* Netmeeting sends TPKT header and data separately */ |