Commit 5776c0e
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
jira VULN-179958
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent 4180939 commit 5776c0e
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
922 | 922 | | |
923 | 923 | | |
924 | 924 | | |
| 925 | + | |
| 926 | + | |
925 | 927 | | |
926 | 928 | | |
927 | 929 | | |
| |||
0 commit comments