[PATCH] off-by-one in DecodeQ931

[PATCH] off-by-one in DecodeQ931

[Toby DiPasquale]

I was reviewing the H.323 conntrack helper in the kernel when I came
across what appears to be an off-by-one error in the DecodeQ931
function. The MessageType field of the Q931 record is assigned and p
is incremented, but the corresponding decrement to sz is missing,
leading the sz variable to be one more than it should be. This patch
decrements sz so it is the proper value going into the parsing of the
information elements.

Signed-off-by: Toby DiPasquale <toby@cbcg.net>
--
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index bcd5ed6..68b1557 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -849,6 +849,7 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
        if (sz < 1)
                return H323_ERROR_BOUND;
        q931->MessageType = *p++;
+       sz--;
        PRINT("MessageType = %02X\n", q931->MessageType);
        if (*p & 0x80) {
                p++;


-- 
Toby DiPasquale

Re: off-by-one in DecodeQ931

[Florian Westphal]

Toby DiPasquale <toby@cbcg.net> wrote:
> I was reviewing the H.323 conntrack helper in the kernel when I came
> across what appears to be an off-by-one error in the DecodeQ931
> function. The MessageType field of the Q931 record is assigned and p
> is incremented, but the corresponding decrement to sz is missing,
> leading the sz variable to be one more than it should be. This patch
> decrements sz so it is the proper value going into the parsing of the
> information elements.
> 
> Signed-off-by: Toby DiPasquale <toby@cbcg.net>

Looks correct, BUT

> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index bcd5ed6..68b1557 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -849,6 +849,7 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
>         if (sz < 1)
>                 return H323_ERROR_BOUND;

sz can be 1

>         q931->MessageType = *p++;
> +       sz--;

sz is now 0

>         PRINT("MessageType = %02X\n", q931->MessageType);
>         if (*p & 0x80) {
>                 p++;
>                 sz--;

-> sz (size_t) will underflow here

I'd suggest to change the if (sz < 1) to if (sz < 2) to
resolve this, the while loop below has to be taken anyway.

Re: off-by-one in DecodeQ931

[Toby DiPasquale]

On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
> -> sz (size_t) will underflow here
>
> I'd suggest to change the if (sz < 1) to if (sz < 2) to
> resolve this, the while loop below has to be taken anyway.

Thanks, Florian! Updated patch below:

Signed-off-by: Toby DiPasquale <toby@cbcg.net>

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index bcd5ed6..89b2e46 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
        sz -= len;

        /* Message Type */
-       if (sz < 1)
+       if (sz < 2)
                return H323_ERROR_BOUND;
        q931->MessageType = *p++;
+       sz--;
        PRINT("MessageType = %02X\n", q931->MessageType);
        if (*p & 0x80) {
                p++;

Re: off-by-one in DecodeQ931

[Toby DiPasquale]

I'm a bit new to this; is this patch OK?

On Tue, May 3, 2016 at 1:12 AM, Toby DiPasquale <toby@cbcg.net> wrote:
> On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
>> -> sz (size_t) will underflow here
>>
>> I'd suggest to change the if (sz < 1) to if (sz < 2) to
>> resolve this, the while loop below has to be taken anyway.
>
> Thanks, Florian! Updated patch below:
>
> Signed-off-by: Toby DiPasquale <toby@cbcg.net>
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index bcd5ed6..89b2e46 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
>         sz -= len;
>
>         /* Message Type */
> -       if (sz < 1)
> +       if (sz < 2)
>                 return H323_ERROR_BOUND;
>         q931->MessageType = *p++;
> +       sz--;
>         PRINT("MessageType = %02X\n", q931->MessageType);
>         if (*p & 0x80) {
>                 p++;



-- 
Toby DiPasquale

Re: off-by-one in DecodeQ931

[Toby DiPasquale]

Is this latest patch OK?

On Tue, May 3, 2016 at 1:12 AM, Toby DiPasquale <toby@cbcg.net> wrote:
> On Mon, Apr 25, 2016 at 11:29 AM, Florian Westphal <fw@strlen.de> wrote:
>> -> sz (size_t) will underflow here
>>
>> I'd suggest to change the if (sz < 1) to if (sz < 2) to
>> resolve this, the while loop below has to be taken anyway.
>
> Thanks, Florian! Updated patch below:
>
> Signed-off-by: Toby DiPasquale <toby@cbcg.net>
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index bcd5ed6..89b2e46 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
>         sz -= len;
>
>         /* Message Type */
> -       if (sz < 1)
> +       if (sz < 2)
>                 return H323_ERROR_BOUND;
>         q931->MessageType = *p++;
> +       sz--;
>         PRINT("MessageType = %02X\n", q931->MessageType);
>         if (*p & 0x80) {
>                 p++;



-- 
Toby DiPasquale

Re: off-by-one in DecodeQ931

[Florian Westphal]

Toby DiPasquale <toby@cbcg.net> wrote:
> Is this latest patch OK?

Yes, I don't know why it wasn't applied yet.

Pablo?

Re: off-by-one in DecodeQ931

[Pablo Neira Ayuso]

On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote:
> Toby DiPasquale <toby@cbcg.net> wrote:
> > Is this latest patch OK?
> 
> Yes, I don't know why it wasn't applied yet.
> 
> Pablo?

This doesn't apply.

$ git am /tmp/off-by-one-in-DecodeQ931.patch -s
Applying: off-by-one in DecodeQ931
error: patch failed: net/netfilter/nf_conntrack_h323_asn1.c:846
error: net/netfilter/nf_conntrack_h323_asn1.c: patch does not apply
Patch failed at 0001 off-by-one in DecodeQ931
The copy of the patch that failed is found in:
   patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Could you resubmit using git-format-patch? Thanks.

Re: off-by-one in DecodeQ931

[Toby DiPasquale]

[-- Attachment #1: Type: text/plain, Size: 978 bytes --]

Attached is the patch generated with git format-patch.

On Mon, Jun 6, 2016 at 10:55 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote:
>> Toby DiPasquale <toby@cbcg.net> wrote:
>> > Is this latest patch OK?
>>
>> Yes, I don't know why it wasn't applied yet.
>>
>> Pablo?
>
> This doesn't apply.
>
> $ git am /tmp/off-by-one-in-DecodeQ931.patch -s
> Applying: off-by-one in DecodeQ931
> error: patch failed: net/netfilter/nf_conntrack_h323_asn1.c:846
> error: net/netfilter/nf_conntrack_h323_asn1.c: patch does not apply
> Patch failed at 0001 off-by-one in DecodeQ931
> The copy of the patch that failed is found in:
>    patch
> When you have resolved this problem, run "git am --continue".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>
> Could you resubmit using git-format-patch? Thanks.



-- 
Toby DiPasquale

[-- Attachment #2: off-by-one.patch --]
[-- Type: application/octet-stream, Size: 805 bytes --]

From 2cada5fdce0ecd5b445a360917431cf0dfffa4bb Mon Sep 17 00:00:00 2001
From: Toby DiPasquale <toby@cbcg.net>
Date: Sun, 12 Jun 2016 19:27:53 -0400
Subject: [PATCH] fix off-by-one in DecodeQ931

---
 net/netfilter/nf_conntrack_h323_asn1.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index bcd5ed6..89b2e46 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -846,9 +846,10 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
 	sz -= len;
 
 	/* Message Type */
-	if (sz < 1)
+	if (sz < 2)
 		return H323_ERROR_BOUND;
 	q931->MessageType = *p++;
+	sz--;
 	PRINT("MessageType = %02X\n", q931->MessageType);
 	if (*p & 0x80) {
 		p++;
-- 
2.7.4