summaryrefslogtreecommitdiff
path: root/include/uapi/linux/wimax/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorJenny Guanni Qu <qguanni@gmail.com>2026-03-12 14:49:50 +0000
committerFlorian Westphal <fw@strlen.de>2026-03-13 15:31:15 +0100
commitf173d0f4c0f689173f8cdac79991043a4a89bf66 (patch)
tree81751cf0bb0d29a14830e53189161a7499fea730 /include/uapi/linux/wimax/git@git.tavy.me:linux.git
parent00050ec08cecfda447e1209b388086d76addda3a (diff)
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Tested-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/uapi/linux/wimax/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-01 19:24:10 +0000