Commit a6331d6f9a4298173b413cf99a40cc86a9d92c37
Committed by
David S. Miller
1 parent
41bb78b4b9
Exists in
master
and in
7 other branches
memory corruption in X.25 facilities parsing
Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 2 changed files with 6 additions and 4 deletions Side-by-side Diff
net/x25/x25_facilities.c
... | ... | @@ -134,15 +134,15 @@ |
134 | 134 | case X25_FAC_CLASS_D: |
135 | 135 | switch (*p) { |
136 | 136 | case X25_FAC_CALLING_AE: |
137 | - if (p[1] > X25_MAX_DTE_FACIL_LEN) | |
138 | - break; | |
137 | + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) | |
138 | + return 0; | |
139 | 139 | dte_facs->calling_len = p[2]; |
140 | 140 | memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); |
141 | 141 | *vc_fac_mask |= X25_MASK_CALLING_AE; |
142 | 142 | break; |
143 | 143 | case X25_FAC_CALLED_AE: |
144 | - if (p[1] > X25_MAX_DTE_FACIL_LEN) | |
145 | - break; | |
144 | + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) | |
145 | + return 0; | |
146 | 146 | dte_facs->called_len = p[2]; |
147 | 147 | memcpy(dte_facs->called_ae, &p[3], p[1] - 1); |
148 | 148 | *vc_fac_mask |= X25_MASK_CALLED_AE; |