Zhouyi Zhou <zhouzhouyi@xxxxxxxxx> wrote: > Thanks Eric for your review and advice. > > I think hackers chould build a malicious h323 packet to overflow > the pointer p which will panic during the memcpy(addr, p, len) > > For example, he may fabricate a very large taddr->ipAddress.ip; Can you be more specific? h323_buffer is backend storage for skb_header_pointer, i.e. this will error out early when we ask for more data than is available in packet. I don't understand how this could overflow anything. Even assuming 64k packet we'd still have enough room in h323_buffer for an ipv6 address, no? (we skip the l3/l4 header when extracting packet payload). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
