netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case - kernel/linux.git

diff options

author	Jenny Guanni Qu <qguanni@gmail.com>	2026-03-12 05:29:32 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-03-25 13:13:25 +0300
commit	fb6c3596823ec5dd09c2123340330d7448f51a59 (patch)
tree	9d7e532b8a00f8bdde70e0a015cffdfa0d5a8fc4 /include
parent	5c4ff7a56c812d4c6306dec393cc387679802fc1 (diff)
download	linux-fb6c3596823ec5dd09c2123340330d7448f51a59.tar.xz

netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ] In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint(). Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: