Skip to content

Commit d076fe8

Browse files
CIQ Kernel Automationroxanan1996
authored andcommitted
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
jira VULN-179953 cve CVE-2026-23455 commit-author Jenny Guanni Qu <qguanni@gmail.com> commit f173d0f In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com> Reported-by: Dawid Moczadło <dawid@vidocsecurity.com> Tested-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> (cherry picked from commit f173d0f) Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
1 parent 3410059 commit d076fe8

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

net/netfilter/nf_conntrack_h323_asn1.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -868,6 +868,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
868868
break;
869869
p++;
870870
len--;
871+
if (len <= 0)
872+
break;
871873
return DecodeH323_UserInformation(buf, p, len,
872874
&q931->UUIE);
873875
}

0 commit comments

Comments
 (0)