netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet

Some Cisco phones create huge messages that are spread over multiple packets.
After calculating the offset of the SIP body, it is validated to be within
the packet and the packet is dropped otherwise. This breaks operation of
these phones. Since connection tracking is supposed to be passive, just let
those packets pass unmodified and untracked.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	net/netfilter/nf_conntrack_sip.c

This commit appears in the 3.8 and 3.9 branches of the Linux kernel
and according to feanor3 on xda-developers:

The "Cisco Jabber" app lets you use your cell phone as a SIP
endpoint with your work number on a Cisco phone system. The
registration packets that Cisco uses are apparently larger
than normal. With your kernel, the registration does not complete.
With your kernel and line 1421 changed to NF_ACCEPT, the registration
complete

Change-Id: If0c4eff68fa10af43767ad49808394910cae4309

1 files changed, 1 insertions, 1 deletions

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 93faf6a..4a8c55b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1468,7 +1468,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
 
 		msglen = origlen = end - dptr;
 		if (msglen > datalen)
-			return NF_DROP;
+			return NF_ACCEPT;
 
 		ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
 		if (ret != NF_ACCEPT)