Browse files

netfilter: nf_ct_sip: don't drop packets with offsets pointing outsid…

…e the packet

Some Cisco phones create huge messages that are spread over multiple packets.
After calculating the offset of the SIP body, it is validated to be within
the packet and the packet is dropped otherwise. This breaks operation of
these phones. Since connection tracking is supposed to be passive, just let
those packets pass unmodified and untracked.

Signed-off-by: Patrick McHardy <>
Signed-off-by: Pablo Neira Ayuso <>


This commit appears in the 3.8 and 3.9 branches of the Linux kernel
and according to feanor3 on xda-developers:

The "Cisco Jabber" app lets you use your cell phone as a SIP
endpoint with your work number on a Cisco phone system. The
registration packets that Cisco uses are apparently larger
than normal. With your kernel, the registration does not complete.
With your kernel and line 1421 changed to NF_ACCEPT, the registration

Change-Id: If0c4eff68fa10af43767ad49808394910cae4309
  • Loading branch information...
kaber authored and William Roberts committed Apr 5, 2013
1 parent 7fc3ce7 commit 210d1e111b6d4dd16f981b8a1330ca9c5f90d71f
Showing with 1 addition and 1 deletion.
  1. +1 −1 net/netfilter/nf_conntrack_sip.c
@@ -1468,7 +1468,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
msglen = origlen = end - dptr;
if (msglen > datalen)
- return NF_DROP;
+ return NF_ACCEPT;
ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
if (ret != NF_ACCEPT)

0 comments on commit 210d1e1

Please sign in to comment.