Commit d076fe8
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
jira VULN-179953
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent 3410059 commit d076fe8
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
868 | 868 | | |
869 | 869 | | |
870 | 870 | | |
| 871 | + | |
| 872 | + | |
871 | 873 | | |
872 | 874 | | |
873 | 875 | | |
| |||
0 commit comments