[PATCH net 11/11] netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

Florian Westphal · 2026-03-13T16:06:14+0100

From: Jenny Guanni Qu In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Reported-by: Klaudia Kloc Reported-by: Dawid Moczadło Tested-by: Jenny Guanni Qu Signed-off-by: Jenny Guanni Qu Signed-off-by: Florian Westphal --- net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index c972e9488e16..7b1497ed97d2 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) break; p++; len--; + if (len UUIE); } -- 2.52.0

[PATCH net 00/11] netfilter: updates for net · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 01/11] netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() · Florian Westphal <fw@strlen.de> · 2026-03-13
Re: [PATCH net 01/11] netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() · patchwork-bot+netdevbpf@kernel.org · 2026-03-14
[PATCH net 02/11] netfilter: conntrack: add missing netlink policy validations · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 03/11] netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 04/11] netfilter: revert nft_set_rbtree: validate open interval overlap · Florian Westphal <fw@strlen.de> · 2026-03-13
Re: [PATCH net 04/11] netfilter: revert nft_set_rbtree: validate open interval overlap: manual merge · Matthieu Baerts <matttbe@kernel.org> · 2026-03-16
[PATCH net 05/11] netfilter: nf_flow_table_ip: reset mac header before vlan push · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case · Florian Westphal <fw@strlen.de> · 2026-03-13
Re: [net,06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case · Jakub Kicinski <kuba@kernel.org> · 2026-03-14
Re: [net,06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case · Florian Westphal <fw@strlen.de> · 2026-03-14
Re: [net,06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case · Guanni Qu <hidden> · 2026-03-14
Re: [net,06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case · Jakub Kicinski <kuba@kernel.org> · 2026-03-15
[PATCH net 07/11] nf_tables: nft_dynset: fix possible stateful expression memleak in error path · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 08/11] netfilter: nft_ct: drop pending enqueued packets on removal · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 09/11] netfilter: xt_CT: drop pending enqueued packets on template removal · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 10/11] netfilter: xt_time: use unsigned int for monthday bit shift · Florian Westphal <fw@strlen.de> · 2026-03-13
[PATCH net 11/11] netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() · Florian Westphal <fw@strlen.de> · 2026-03-13

STALE75d REVIEWED: 1 (0M)

Revisions (2)

2026-03-13 v1 current
2026-03-25 v1 [diff vs current]

From: Florian Westphal <fw@strlen.de>
Date: 2026-03-13 15:07:10
Also in: netfilter-devel
Subsystem: netfilter, networking [general], the rest · Maintainers: Pablo Neira Ayuso, Florian Westphal, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

From: Jenny Guanni Qu <redacted>

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Reported-by: Klaudia Kloc <redacted>
Reported-by: Dawid Moczadło <redacted>
Tested-by: Jenny Guanni Qu <redacted>
Signed-off-by: Jenny Guanni Qu <redacted>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index c972e9488e16..7b1497ed97d2 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c

@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
 				break;
 			p++;
 			len--;
+			if (len <= 0)
+				break;
 			return DecodeH323_UserInformation(buf, p, len,
 							  &q931->UUIE);
 		}

-- 
2.52.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help