Bug 141726

Summary:	Kernel: H.323 helper: fix possible NULL-ptr dereference (CVE-2006-3839)
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-25 11:52:26 UTC

[NETFILTER]: H.323 helper: fix possible NULL-ptr dereference

An RCF message containing a timeout results in a NULL-ptr dereference if
no RRQ has been seen before.

Noticed by the "SATURN tool", reported by Thomas Dillig <tdillig@stanford.edu>
and Isil Dillig <isil@stanford.edu>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 165c3b26ee609cecb6eff4b2c19dab8caaf2b8a2
tree 0a997ee463fc47d43d9bf1dcc5989d5dd4268cc3
parent 245b3c810f1d09ac27f326346cb58451556ecc0b
author Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 02:26:53 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 02:26:53 +0200

 net/ipv4/netfilter/ip_conntrack_helper_h323.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 518f581..853a3d5 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1092,7 +1092,7 @@ static struct ip_conntrack_expect *find_
        tuple.dst.protonum = IPPROTO_TCP;
 
        exp = __ip_conntrack_expect_find(&tuple);
-       if (exp->master == ct)
+       if (exp && exp->master == ct)
                return exp;
        return NULL;
 }

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-27 09:12:37 UTC

Seems like it was decided that this is not a security issue.