netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages

Verify that the message length of a single SIP message, which is calculated based on the Content-Length field contained in the SIP message, does not exceed the packet boundaries. Signed-off-by: N Patrick McHardy <kaber@trash.net>

netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages
Verify that the message length of a single SIP message, which is calculated based on the Content-Length field contained in the SIP message, does not exceed the packet boundaries. Signed-off-by: N Patrick McHardy <kaber@trash.net>
274ea0e2 · Patrick McHardy · 74973f6f · 274ea0e2
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/netfilter/nf_conntrack_sip.c net/netfilter/nf_conntrack_sip.c +2 -0

未找到文件。
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1461,6 +1461,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
 		end += strlen("\r\n\r\n") + clen;

 		msglen = origlen = end - dptr;
+		if (msglen > datalen)
+			return NF_DROP;

 		ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
 		if (ret != NF_ACCEPT)