summaryrefslogtreecommitdiffstats
path: root/net/x25/af_x25.c
diff options
context:
space:
mode:
authorMatthew Daley <mattjd@gmail.com>2011-10-14 20:45:05 +0200
committerDavid S. Miller <davem@davemloft.net>2011-10-18 01:31:40 +0200
commit7f81e25befdfb3272345a2e775f520e1d515fa20 (patch)
tree02f02c9808a19c09977eebea9e3a9e2b3eac617f /net/x25/af_x25.c
parentx25: Handle undersized/fragmented skbs (diff)
downloadlinux-7f81e25befdfb3272345a2e775f520e1d515fa20.tar.xz
linux-7f81e25befdfb3272345a2e775f520e1d515fa20.zip
x25: Prevent skb overreads when checking call user data
x25_find_listener does not check that the amount of call user data given in the skb is big enough in per-socket comparisons, hence buffer overreads may occur. Fix this by adding a check. Signed-off-by: Matthew Daley <mattjd@gmail.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Andrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Acked-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/x25/af_x25.c')
-rw-r--r--net/x25/af_x25.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index aa567b09ea9a..5f03e4ea65bf 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr,
* Found a listening socket, now check the incoming
* call user data vs this sockets call user data
*/
- if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
+ if (x25_sk(s)->cudmatchlength > 0 &&
+ skb->len >= x25_sk(s)->cudmatchlength) {
if((memcmp(x25_sk(s)->calluserdata.cuddata,
skb->data,
x25_sk(s)->cudmatchlength)) == 0) {