tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

[NETFILTER]: H.323 helper: fix parser error propagation

The condition "> H323_ERROR_STOP" can never be true since H323_ERROR_STOP
is positive and is the highest possible return code, while real errors are
negative, fix the checks. Also only abort on real errors in some spots
that were just interpreting any return value != 0 as error.

Fixes crashes caused by use of stale data after a parsing error occured:

BUG: unable to handle kernel paging request at virtual address bfffffff
printing eip:
c01aa0f8
*pde = 1a801067
*pte = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: ip_nat_h323 ip_conntrack_h323 nfsd exportfs sch_sfq sch_red cls_fw sch_hfsc xt_length ipt_owner xt_MARK iptable_mangle nfs lockd sunrpc pppoe pppoxx
CPU: 0
EIP: 0060:[<c01aa0f8>] Not tainted VLI
EFLAGS: 00210646 (2.6.17-rc4 #8)
EIP is at memmove+0x19/0x22
eax: d77264e9 ebx: d77264e9 ecx: e88d9b17 edx: d77264e9
esi: bfffffff edi: bfffffff ebp: de6a7680 esp: c0349db8
ds: 007b es: 007b ss: 0068
Process asterisk (pid: 3765, threadinfo=c0349000 task=da068540)
Stack: <0>00000006 c0349e5e d77264e3 e09a2b4e e09a38a0 d7726052 d7726124 00000491
00000006 00000006 00000006 00000491 de6a7680 d772601e d7726032 c0349f74
e09a2dc2 00000006 c0349e5e 00000006 00000000 d76dda28 00000491 c0349f74
Call Trace:
[<e09a2b4e>] mangle_contents+0x62/0xfe [ip_nat]
[<e09a2dc2>] ip_nat_mangle_tcp_packet+0xa1/0x191 [ip_nat]
[<e0a2712d>] set_addr+0x74/0x14c [ip_nat_h323]
[<e0ad531e>] process_setup+0x11b/0x29e [ip_conntrack_h323]
[<e0ad534f>] process_setup+0x14c/0x29e [ip_conntrack_h323]
[<e0ad57bd>] process_q931+0x3c/0x142 [ip_conntrack_h323]
[<e0ad5dff>] q931_help+0xe0/0x144 [ip_conntrack_h323]
...

Found by the PROTOS c07-h2250v4 testsuite.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Patrick McHardy and committed by
David S. Miller 7185989d 14ba3e7b

+19 -15
+19 -15
net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
··· 528 528 529 529 /* Decode */ 530 530 if ((err = (Decoders[son->type]) (bs, son, base, 531 - level + 1)) > 532 - H323_ERROR_STOP) 531 + level + 1)) < 532 + H323_ERROR_NONE) 533 533 return err; 534 534 535 535 bs->cur = beg + len; 536 536 bs->bit = 0; 537 537 } else if ((err = (Decoders[son->type]) (bs, son, base, 538 - level + 1))) 538 + level + 1)) < 539 + H323_ERROR_NONE) 539 540 return err; 540 541 } 541 542 ··· 585 584 beg = bs->cur; 586 585 587 586 if ((err = (Decoders[son->type]) (bs, son, base, 588 - level + 1)) > 589 - H323_ERROR_STOP) 587 + level + 1)) < 588 + H323_ERROR_NONE) 590 589 return err; 591 590 592 591 bs->cur = beg + len; ··· 661 660 i < 662 661 effective_count ? 663 662 base : NULL, 664 - level + 1)) > 665 - H323_ERROR_STOP) 663 + level + 1)) < 664 + H323_ERROR_NONE) 666 665 return err; 667 666 668 667 bs->cur = beg + len; 669 668 bs->bit = 0; 670 669 } else 671 - if ((err = (Decoders[son->type]) (bs, son, 672 - i < effective_count ? 673 - base : NULL, 674 - level + 1))) 675 - return err; 670 + if ((err = (Decoders[son->type]) (bs, son, 671 + i < 672 + effective_count ? 673 + base : NULL, 674 + level + 1)) < 675 + H323_ERROR_NONE) 676 + return err; 676 677 677 678 if (base) 678 679 base += son->offset; ··· 738 735 } 739 736 beg = bs->cur; 740 737 741 - if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) > 742 - H323_ERROR_STOP) 738 + if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) < 739 + H323_ERROR_NONE) 743 740 return err; 744 741 745 742 bs->cur = beg + len; 746 743 bs->bit = 0; 747 - } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1))) 744 + } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) < 745 + H323_ERROR_NONE) 748 746 return err; 749 747 750 748 return H323_ERROR_NONE;