[NETFILTER]: SIP conntrack: fix out of bounds memory access

When checking for an @-sign in skp_epaddr_len, make sure not to
run over the packet boundaries.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 571d27e2091028fff2f167290afe6dbc83249f45..11c588a10e6b5e7adf993f59a3ae5a8a6dd2cfd3 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift)
                dptr++;
        }
 
-       if (*dptr == '@') {
+       if (dptr <= limit && *dptr == '@') {
                dptr++;
                (*shift)++;
        } else

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c93fb37a54fc8dde78ab161b52d5df73662b960a..9dec115346784428f3b2a18a64873ce77299f2db 100644 (file)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr,
                dptr++;
        }
 
-       if (*dptr == '@') {
+       if (dptr <= limit && *dptr == '@') {
                dptr++;
                (*shift)++;
        } else