netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931

This patch corrects an off-by-one error in the DecodeQ931 function in the nf_conntrack_h323 module. This error could result in reading off the end of a Q.931 frame. Signed-off-by: Toby DiPasquale <toby@cbcg.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Toby DiPasquale 2016-07-11 12:32:45 +0200
committer: Pablo Neira Ayuso 2016-07-11 12:32:45 +0200
commit: c2b9b4fee8ab86f2bb657e5ac48d803879e92765 (patch)
tree: eab004aea8fd32b8b3f75a51bada4696f5385047 /net/netfilter/nf_conntrack_h323_asn1.c
parent: Merge tag 'ipvs-for-v4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/... (diff)
download: kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.tar.gz
kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.tar.xz
kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index bcd5ed6b7130..89b2e46925c4 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
 	sz -= len;
 
 	/* Message Type */
-	if (sz < 1)
+	if (sz < 2)
 		return H323_ERROR_BOUND;
 	q931->MessageType = *p++;
+	sz--;
 	PRINT("MessageType = %02X\n", q931->MessageType);
 	if (*p & 0x80) {
 		p++;
author	Toby DiPasquale	2016-07-11 12:32:45 +0200
committer	Pablo Neira Ayuso	2016-07-11 12:32:45 +0200
commit	c2b9b4fee8ab86f2bb657e5ac48d803879e92765 (patch)
tree	eab004aea8fd32b8b3f75a51bada4696f5385047 /net/netfilter/nf_conntrack_h323_asn1.c
parent	Merge tag 'ipvs-for-v4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/... (diff)
download	kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.tar.gz kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.tar.xz kernel-qcow2-linux-c2b9b4fee8ab86f2bb657e5ac48d803879e92765.zip