Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp893251rwb; Mon, 26 Sep 2022 07:11:37 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5c8YNBC2cwivWtF5fw74CUlyfJz4Zmqp5xA4iJ6jCWiMXPYX9YzCjibkXLcJ9LOeHFvIE1 X-Received: by 2002:aa7:d449:0:b0:457:12e7:c2f6 with SMTP id q9-20020aa7d449000000b0045712e7c2f6mr10427905edr.357.1664201497735; Mon, 26 Sep 2022 07:11:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664201497; cv=none; d=google.com; s=arc-20160816; b=1DAsUnqdnfYfgEcXPBz3IkeKbkR2AtyCxLIXDAn3LI3N9lHS5XUt/Rat4NW9ZPH6uG z222xTnXDwR1nbcFdNmjnAKvoBl8iX0Ylz5xycEOcHpIr61ujRPitqY6UmXzsxS9nXvl amtJ1xqm5jAfOMZtIjFmK13fBMfQ8JlnNVP6cSYU6KybTzCe4QKc2tDbo2GJJNFwG2KN RYWVuB+yVlDJuetMenQRrh6+0cOL4ecosJz6YQjcD3/ogsZ4cvVnAouJ4zag8VhiGBRL noHDLjTCXgiIFbuxpPMWd2cFxTrculR2Mll7j2BXqYMx1zVePitL9uqDLQmXdIVlYmHB 7VuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1fVnfPNQl4OrtbO1NIKKUz3Wu9Y/viYsFm7Iy0Gklq4=; b=I9aK5bNpmT0QIZBmypLY56NBp6UE/wjYQmq202i9LvlvNSeHqx2i3GkmNuDB6fLALD 48yY4z+F0YEeP+xKwVRAa7hqGBTssh+KI0X8RIpjnO5zyMIMj0SqhuTiJUVxvihy4hOL CrwA68k5B+tuKAQ7zmSU9LzgXS8G/cvH1WNrwG37kqvfvHqknWtDC1q2nDifAm0SJiGK bghY1DfkyxMgQZMwtiSeN2RxB422/0SQy2ikKseooLKXoLSTn8HoY4UM3WhsfJRLwnvR 5oKH4l8jiIAc/N2PftzC8c5uSxkLLNjOzcssW3zMo+FIEEsLYf26tyv96dGRS2AzXZ6x /24A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="bSF3d/xF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id eb5-20020a0564020d0500b00451ecf8c2fasi18452971edb.394.2022.09.26.07.11.07; Mon, 26 Sep 2022 07:11:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="bSF3d/xF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234604AbiIZLUo (ORCPT + 99 others); Mon, 26 Sep 2022 07:20:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237811AbiIZLTD (ORCPT ); Mon, 26 Sep 2022 07:19:03 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4269B52DE0; Mon, 26 Sep 2022 03:38:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 5CB10CE10E9; Mon, 26 Sep 2022 10:36:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5707AC433C1; Mon, 26 Sep 2022 10:36:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1664188614; bh=wYMWX1RdKzeoF4adCEB63kIZCJOyfUXgVp3rUBJ24FE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bSF3d/xFpm2d+S0/4ExFt98eg9TdjyvFbCZ0mJ1TzxZ3ohWz0HHk3chGqSwpKF7Ya aNdqTZJ4Mu+fiOrxReSzmAtM1g6nL6XkM0B6oiHt/OjZwJa4FgHeplwOpSeZKWdUv4 tHED4WADiBT8oNKeB9VEVPZOdY6tYQwFec3o3IIY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Igor Ryzhov , Florian Westphal , Sasha Levin Subject: [PATCH 5.15 066/148] netfilter: nf_conntrack_sip: fix ct_sip_walk_headers Date: Mon, 26 Sep 2022 12:11:40 +0200 Message-Id: <20220926100758.522182929@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220926100756.074519146@linuxfoundation.org> References: <20220926100756.074519146@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Igor Ryzhov [ Upstream commit 39aebedeaaa95757f5c1f2ddb5f43fdddbf478ca ] ct_sip_next_header and ct_sip_get_header return an absolute value of matchoff, not a shift from current dataoff. So dataoff should be assigned matchoff, not incremented by it. This issue can be seen in the scenario when there are multiple Contact headers and the first one is using a hostname and other headers use IP addresses. In this case, ct_sip_walk_headers will work as follows: The first ct_sip_get_header call to will find the first Contact header but will return -1 as the header uses a hostname. But matchoff will be changed to the offset of this header. After that, dataoff should be set to matchoff, so that the next ct_sip_get_header call find the next Contact header. But instead of assigning dataoff to matchoff, it is incremented by it, which is not correct, as matchoff is an absolute value of the offset. So on the next call to the ct_sip_get_header, dataoff will be incorrect, and the next Contact header may not be found at all. Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper") Signed-off-by: Igor Ryzhov Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin --- net/netfilter/nf_conntrack_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index b83dc9bf0a5d..78fd9122b70c 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -477,7 +477,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, return ret; if (ret == 0) break; - dataoff += *matchoff; + dataoff = *matchoff; } *in_header = 0; } @@ -489,7 +489,7 @@ static int ct_sip_walk_headers(const struct nf_conn *ct, const char *dptr, break; if (ret == 0) return ret; - dataoff += *matchoff; + dataoff = *matchoff; } if (in_header) -- 2.35.1