diff mbox

off-by-one in DecodeQ931

Message ID CAML0wpGWvcpB5GE_zAjOeO6ki_nszaj+hR9yyadwu_3hQno7Cg@mail.gmail.com
State Superseded
Delegated to: Pablo Neira
Headers show

Commit Message

Toby DiPasquale May 3, 2016, 5:12 a.m. UTC 
On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
> -> sz (size_t) will underflow here
>
> I'd suggest to change the if (sz < 1) to if (sz < 2) to
> resolve this, the while loop below has to be taken anyway.

Thanks, Florian! Updated patch below:

Signed-off-by: Toby DiPasquale <toby@cbcg.net>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Toby DiPasquale May 21, 2016, 12:20 a.m. UTC | #1 
I'm a bit new to this; is this patch OK?

On Tue, May 3, 2016 at 1:12 AM, Toby DiPasquale <toby@cbcg.net> wrote:
> On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
>> -> sz (size_t) will underflow here
>>
>> I'd suggest to change the if (sz < 1) to if (sz < 2) to
>> resolve this, the while loop below has to be taken anyway.
>
> Thanks, Florian! Updated patch below:
>
> Signed-off-by: Toby DiPasquale <toby@cbcg.net>
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index bcd5ed6..89b2e46 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
>         sz -= len;
>
>         /* Message Type */
> -       if (sz < 1)
> +       if (sz < 2)
>                 return H323_ERROR_BOUND;
>         q931->MessageType = *p++;
> +       sz--;
>         PRINT("MessageType = %02X\n", q931->MessageType);
>         if (*p & 0x80) {
>                 p++;
Toby DiPasquale June 6, 2016, 1:50 p.m. UTC | #2 
Is this latest patch OK?

On Tue, May 3, 2016 at 1:12 AM, Toby DiPasquale <toby@cbcg.net> wrote:
> On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
>> -> sz (size_t) will underflow here
>>
>> I'd suggest to change the if (sz < 1) to if (sz < 2) to
>> resolve this, the while loop below has to be taken anyway.
>
> Thanks, Florian! Updated patch below:
>
> Signed-off-by: Toby DiPasquale <toby@cbcg.net>
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index bcd5ed6..89b2e46 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
>         sz -= len;
>
>         /* Message Type */
> -       if (sz < 1)
> +       if (sz < 2)
>                 return H323_ERROR_BOUND;
>         q931->MessageType = *p++;
> +       sz--;
>         PRINT("MessageType = %02X\n", q931->MessageType);
>         if (*p & 0x80) {
>                 p++;
Florian Westphal June 6, 2016, 2:35 p.m. UTC | #3 
Toby DiPasquale <toby@cbcg.net> wrote:
> Is this latest patch OK?

Yes, I don't know why it wasn't applied yet.

Pablo?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso June 6, 2016, 2:55 p.m. UTC | #4 
On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote:
> Toby DiPasquale <toby@cbcg.net> wrote:
> > Is this latest patch OK?
> 
> Yes, I don't know why it wasn't applied yet.
> 
> Pablo?

This doesn't apply.

$ git am /tmp/off-by-one-in-DecodeQ931.patch -s
Applying: off-by-one in DecodeQ931
error: patch failed: net/netfilter/nf_conntrack_h323_asn1.c:846
error: net/netfilter/nf_conntrack_h323_asn1.c: patch does not apply
Patch failed at 0001 off-by-one in DecodeQ931
The copy of the patch that failed is found in:
   patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Could you resubmit using git-format-patch? Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Toby DiPasquale June 12, 2016, 11:29 p.m. UTC | #5 
Attached is the patch generated with git format-patch.

On Mon, Jun 6, 2016 at 10:55 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote:
>> Toby DiPasquale <toby@cbcg.net> wrote:
>> > Is this latest patch OK?
>>
>> Yes, I don't know why it wasn't applied yet.
>>
>> Pablo?
>
> This doesn't apply.
>
> $ git am /tmp/off-by-one-in-DecodeQ931.patch -s
> Applying: off-by-one in DecodeQ931
> error: patch failed: net/netfilter/nf_conntrack_h323_asn1.c:846
> error: net/netfilter/nf_conntrack_h323_asn1.c: patch does not apply
> Patch failed at 0001 off-by-one in DecodeQ931
> The copy of the patch that failed is found in:
>    patch
> When you have resolved this problem, run "git am --continue".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>
> Could you resubmit using git-format-patch? Thanks.
diff mbox

Patch

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index bcd5ed6..89b2e46 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -846,9 +846,10 @@  int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
        sz -= len;

        /* Message Type */
-       if (sz < 1)
+       if (sz < 2)
                return H323_ERROR_BOUND;
        q931->MessageType = *p++;
+       sz--;
        PRINT("MessageType = %02X\n", q931->MessageType);
        if (*p & 0x80) {
                p++;