Skip to content

Commit 8d712f0

Browse files
author
CIQ Kernel Automation
committed
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
jira VULN-179956 cve CVE-2026-23455 commit-author Jenny Guanni Qu <qguanni@gmail.com> commit f173d0f In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Tested-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> (cherry picked from commit f173d0f) Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
1 parent e54d1c8 commit 8d712f0

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

net/netfilter/nf_conntrack_h323_asn1.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -918,6 +918,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
918918
break;
919919
p++;
920920
len--;
921+
if (len <= 0)
922+
break;
921923
return DecodeH323_UserInformation(buf, p, len,
922924
&q931->UUIE);
923925
}

0 commit comments

Comments
 (0)