Dev news

Commit baed0d9ba91d for kernel

commit baed0d9ba91d4f390da12d5039128ee897253d60
Author: Vahagn Vardanian <vahagn@redrays.io>
Date:   Wed Feb 25 14:06:18 2026 +0100

    netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

    In decode_choice(), the boundary check before get_len() uses the
    variable `len`, which is still 0 from its initialization at the top of
    the function:

        unsigned int type, ext, len = 0;
        ...
        if (ext || (son->attr & OPEN)) {
            BYTE_ALIGN(bs);
            if (nf_h323_error_boundary(bs, len, 0))  /* len is 0 here */
                return H323_ERROR_BOUND;
            len = get_len(bs);                        /* OOB read */

    When the bitstream is exactly consumed (bs->cur == bs->end), the check
    nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),
    which is false.  The subsequent get_len() call then dereferences
    *bs->cur++, reading 1 byte past the end of the buffer.  If that byte
    has bit 7 set, get_len() reads a second byte as well.

    This can be triggered remotely by sending a crafted Q.931 SETUP message
    with a User-User Information Element containing exactly 2 bytes of
    PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with
    the nf_conntrack_h323 helper active.  The decoder fully consumes the
    PER buffer before reaching this code path, resulting in a 1-2 byte
    heap-buffer-overflow read confirmed by AddressSanitizer.

    Fix this by checking for 2 bytes (the maximum that get_len() may read)
    instead of the uninitialized `len`.  This matches the pattern used at
    every other get_len() call site in the same file, where the caller
    checks for 2 bytes of available data before calling get_len().

    Fixes: ec8a8f3c31dd ("netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well")
    Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Link: https://patch.msgid.link/20260225130619.1248-2-fw@strlen.de
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 540d97715bd2..62aa22a07876 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -796,7 +796,7 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,

 	if (ext || (son->attr & OPEN)) {
 		BYTE_ALIGN(bs);
-		if (nf_h323_error_boundary(bs, len, 0))
+		if (nf_h323_error_boundary(bs, 2, 0))
 			return H323_ERROR_BOUND;
 		len = get_len(bs);
 		if (nf_h323_error_boundary(bs, len, 0))