Hello. On 1/28/2016 11:59 AM, Zhouyi Zhou wrote:
Thanks Eric for your review and advice. I think hackers chould build a malicious h323 packet to overflow the pointer p which will panic during the memcpy(addr, p, len) For example, he may fabricate a very large taddr->ipAddress.ip; Signed-off-by: Zhouyi Zhou <yizhouz...@ict.ac.cn> --- net/netfilter/nf_conntrack_h323_main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 9511af0..ccd08c5 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c @@ -110,6 +110,7 @@ int (*nat_q931_hook) (struct sk_buff *skb, static DEFINE_SPINLOCK(nf_h323_lock); static char *h323_buffer; +#define CHECK_BOUND(p, n) ((void *)p + n - (void *)h323_buffer > 65536)
You have to enclose the macro parameters in parens when used in expression. MBR, Sergei
