diff options
author | Matthew Daley <mattjd@gmail.com> | 2011-10-14 20:45:05 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-10-18 01:31:40 +0200 |
commit | 7f81e25befdfb3272345a2e775f520e1d515fa20 (patch) | |
tree | 02f02c9808a19c09977eebea9e3a9e2b3eac617f /net/x25/af_x25.c | |
parent | x25: Handle undersized/fragmented skbs (diff) | |
download | linux-7f81e25befdfb3272345a2e775f520e1d515fa20.tar.xz linux-7f81e25befdfb3272345a2e775f520e1d515fa20.zip |
x25: Prevent skb overreads when checking call user data
x25_find_listener does not check that the amount of call user data given
in the skb is big enough in per-socket comparisons, hence buffer
overreads may occur. Fix this by adding a check.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/x25/af_x25.c')
-rw-r--r-- | net/x25/af_x25.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index aa567b09ea9a..5f03e4ea65bf 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr, * Found a listening socket, now check the incoming * call user data vs this sockets call user data */ - if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { + if (x25_sk(s)->cudmatchlength > 0 && + skb->len >= x25_sk(s)->cudmatchlength) { if((memcmp(x25_sk(s)->calluserdata.cuddata, skb->data, x25_sk(s)->cudmatchlength)) == 0) { |