diff options
| author | Patrick McHardy <kaber@trash.net> | 2011-05-16 14:42:26 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-06-03 09:31:52 +0900 |
| commit | fa8c3f668b17e2e508d14f44bbf8368b3d7ea92e (patch) | |
| tree | b075f466efe4a044f4af78fe52a7e2b9a448211f /net | |
| parent | d9b389384c8805635af0955549cb10012b8c4d68 (diff) | |
netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages
[ Upstream commit 274ea0e2a4cdf18110e5931b8ecbfef6353e5293 ]
Verify that the message length of a single SIP message, which is calculated
based on the Content-Length field contained in the SIP message, does not
exceed the packet boundaries.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 237cc1981b89..3fed15e82512 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -1461,6 +1461,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, end += strlen("\r\n\r\n") + clen; msglen = origlen = end - dptr; + if (msglen > datalen) + return NF_DROP; ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen); if (ret != NF_ACCEPT) |