From adcb4711101dfef89d473f64a913089d303962ae Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 14:25:24 -0800
Subject: [PATCH] [NETFILTER]: SIP conntrack: fix out of bounds memory access

When checking for an @-sign in skp_epaddr_len, make sure not to
run over the packet boundaries.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv4/netfilter/ip_conntrack_sip.c | 2 +-
 net/netfilter/nf_conntrack_sip.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 571d27e209102..11c588a10e6b5 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -292,7 +292,7 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift)
 		dptr++;
 	}
 
-	if (*dptr == '@') {
+	if (dptr <= limit && *dptr == '@') {
 		dptr++;
 		(*shift)++;
 	} else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c93fb37a54fc8..9dec115346784 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -312,7 +312,7 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr,
 		dptr++;
 	}
 
-	if (*dptr == '@') {
+	if (dptr <= limit && *dptr == '@') {
 		dptr++;
 		(*shift)++;
 	} else
-- 
2.30.2