[NETFILTER]: H.323 helper: fix endless loop caused by invalid TPKT len

When the TPKT len included in the packet is below the lowest valid value
of 4 an underflow occurs which results in an endless loop.

Found by testcase 0000058 from the PROTOS c07-h2250v4 testsuite.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 2c2fb700d835364e76f5f479bec02aacafa80074..518f581d39ece6058670ad9efda9df57d2191e68 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -162,6 +162,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
 
        /* Validate TPKT length */
        tpktlen = tpkt[2] * 256 + tpkt[3];
+       if (tpktlen < 4)
+               goto clear_out;
        if (tpktlen > tcpdatalen) {
                if (tcpdatalen == 4) {  /* Separate TPKT header */
                        /* Netmeeting sends TPKT header and data separately */