Commit 8d712f0
CIQ Kernel Automation
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
jira VULN-179956
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent e54d1c8 commit 8d712f0
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
918 | 918 | | |
919 | 919 | | |
920 | 920 | | |
| 921 | + | |
| 922 | + | |
921 | 923 | | |
922 | 924 | | |
923 | 925 | | |
| |||
0 commit comments