From patchwork Tue Mar 22 11:55:29 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Sterba <dsterba@suse.cz>
X-Patchwork-Id: 87902
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 9D5ECB6F7B
	for <patchwork-incoming@ozlabs.org>;
	Tue, 22 Mar 2011 22:56:08 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753539Ab1CVLzp (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 22 Mar 2011 07:55:45 -0400
Received: from cantor.suse.de ([195.135.220.2]:34173 "EHLO mx1.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752034Ab1CVLzo (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 22 Mar 2011 07:55:44 -0400
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.221.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.suse.de (Postfix) with ESMTP id 6F6C190975;
	Tue, 22 Mar 2011 12:55:43 +0100 (CET)
Received: by ds.suse.cz (Postfix, from userid 10065)
	id 3E091747CE; Tue, 22 Mar 2011 12:55:42 +0100 (CET)
From: David Sterba <dsterba@suse.cz>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, David Sterba <dsterba@suse.cz>,
	David Miller <davem@davemloft.net>, stable@kernel.org
Subject: [PATCH] netfilter: h323: bug in parsing of ASN1 SEQOF field
Date: Tue, 22 Mar 2011 12:55:29 +0100
Message-Id: <1300794929-1541-1-git-send-email-dsterba@suse.cz>
X-Mailer: git-send-email 1.7.4.1.176.g501cc
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Static analyzer of clang found a dead store which appears to be a bug in
reading count of items in SEQOF field, only the lower byte of word is
stored. This may lead to corrupted read and communication shutdown.

The bug has been in the module since it's first inclusion into linux
kernel.

Signed-off-by: David Sterba <dsterba@suse.cz>
CC: David Miller <davem@davemloft.net>
CC: netdev@vger.kernel.org
CC: stable@kernel.org
---
 net/netfilter/nf_conntrack_h323_asn1.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 8678823..bcd5ed6 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, const struct field_t *f,
 		CHECK_BOUND(bs, 2);
 		count = *bs->cur++;
 		count <<= 8;
-		count = *bs->cur++;
+		count += *bs->cur++;
 		break;
 	case SEMI:
 		BYTE_ALIGN(bs);