diff options
| author |   Matthew Daley <mattjd@gmail.com> | 2011-10-14 18:45:04 +0000 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2011-10-17 19:31:39 -0400 |
| commit | cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df (patch) | |
| tree | 3d266ac18673ebc85a99e4d10d8d381ff1ebd782 /net/x25/x25_dev.c | |
| parent | x25: Validate incoming call user data lengths (diff) | |
| download | linux-dev-cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df.tar.xz linux-dev-cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df.zip | |
x25: Handle undersized/fragmented skbs
There are multiple locations in the X.25 packet layer where a skb is
assumed to be of at least a certain size and that all its data is
currently available at skb->data. These assumptions are not checked,
hence buffer overreads may occur. Use pskb_may_pull to check these
minimal size assumptions and ensure that data is available at skb->data
when necessary, as well as use skb_copy_bits where needed.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/x25/x25_dev.c')
| -rw-r--r-- | net/x25/x25_dev.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c index e547ca1578c3..fa2b41888bd9 100644 --- a/net/x25/x25_dev.c +++ b/net/x25/x25_dev.c @@ -32,6 +32,9 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb) unsigned short frametype; unsigned int lci; + if (!pskb_may_pull(skb, X25_STD_MIN_LEN)) + return 0; + frametype = skb->data[2]; lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF); @@ -115,6 +118,9 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev, goto drop; } + if (!pskb_may_pull(skb, 1)) + return 0; + switch (skb->data[0]) { case X25_IFACE_DATA: |