Eric Lee / linux-smarc-t335x-v3.2

Download as
Browse Code ยป

Commit a6331d6f9a4298173b413cf99a40cc86a9d92c37

Authored by andrew hendry
Committed by David S. Miller
1 parent 41bb78b4b9
Exists in master and in 4 other branches v3.2_AM335xPSP_04.06.00.11, v3.2_NEWT335xPSP_04.06.00.11, v3.2_SBC_SMARTMEN, v3.2_SMARCT335xPSP_04.06.00.11

memory corruption in X.25 facilities parsing 

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 2 changed files with 6 additions and 4 deletions Side-by-side Diff

net/x25/x25_facilities.c
Diff comments   View file @ a6331d6
... ... @@ -134,15 +134,15 @@
134 134 case X25_FAC_CLASS_D:
135 135 switch (*p) {
136 136 case X25_FAC_CALLING_AE:
137   - if (p[1] > X25_MAX_DTE_FACIL_LEN)
138   - break;
  137 + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
  138 + return 0;
139 139 dte_facs->calling_len = p[2];
140 140 memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
141 141 *vc_fac_mask |= X25_MASK_CALLING_AE;
142 142 break;
143 143 case X25_FAC_CALLED_AE:
144   - if (p[1] > X25_MAX_DTE_FACIL_LEN)
145   - break;
  144 + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
  145 + return 0;
146 146 dte_facs->called_len = p[2];
147 147 memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
148 148 *vc_fac_mask |= X25_MASK_CALLED_AE;
... ... @@ -119,6 +119,8 @@
119 119 &x25->vc_facil_mask);
120 120 if (len > 0)
121 121 skb_pull(skb, len);
  122 + else
  123 + return -1;
122 124 /*
123 125 * Copy any Call User Data.
124 126 */