From: Patrick McHardy Date: Tue, 30 Jan 2007 22:25:24 +0000 (-0800) Subject: [NETFILTER]: SIP conntrack: fix out of bounds memory access X-Git-Tag: v2.6.20~37^2~4 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=adcb4711101dfef89d473f64a913089d303962ae;p=linux-2.6 [NETFILTER]: SIP conntrack: fix out of bounds memory access When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c index 571d27e209..11c588a10e 100644 --- a/net/ipv4/netfilter/ip_conntrack_sip.c +++ b/net/ipv4/netfilter/ip_conntrack_sip.c @@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift) dptr++; } - if (*dptr == '@') { + if (dptr <= limit && *dptr == '@') { dptr++; (*shift)++; } else diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index c93fb37a54..9dec115346 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, dptr++; } - if (*dptr == '@') { + if (dptr <= limit && *dptr == '@') { dptr++; (*shift)++; } else