On Mon, Nov 13, 2017 at 09:09:41AM +0100, eric.sesterhenn@xxxxxxxxxxx wrote:
> From: Eric Sesterhenn <eric.sesterhenn@xxxxxxxxxxx>
>
> This patches several out of bounds memory reads by extending
> the nf_h323_error_boundary() function to work on bits as well
> an check the affected parts.
Also applied with changes, see below.
[...]
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
> index f358222b1e5e..b8b4fecaa016 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -165,8 +165,13 @@ static unsigned int get_len(bitstr_t *bs)
> }
>
> /****************************************************************************/
> -static int nf_h323_error_boundary(bitstr_t *bs, size_t bytes)
> +static int nf_h323_error_boundary(bitstr_t *bs, size_t bytes, size_t bits)
> {
> + bits += bs->bit;
> + bytes += bits / 8;
I changed this to use BITS_PER_BYTE instead of hardcoded 8, just a
minor comestic cleanup.
Please, review I'm going to push to nf-next.git, given I have to
mangled your patches slightly, just to make sure I didn't slip through
any mistake.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
