Commit 7f81e25b authored by Matthew Daley's avatar Matthew Daley Committed by David S. Miller

x25: Prevent skb overreads when checking call user data

x25_find_listener does not check that the amount of call user data given
in the skb is big enough in per-socket comparisons, hence buffer
overreads may occur.  Fix this by adding a check.
Signed-off-by: default avatarMatthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: default avatarAndrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cb101ed2
...@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr, ...@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr,
* Found a listening socket, now check the incoming * Found a listening socket, now check the incoming
* call user data vs this sockets call user data * call user data vs this sockets call user data
*/ */
if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { if (x25_sk(s)->cudmatchlength > 0 &&
skb->len >= x25_sk(s)->cudmatchlength) {
if((memcmp(x25_sk(s)->calluserdata.cuddata, if((memcmp(x25_sk(s)->calluserdata.cuddata,
skb->data, skb->data,
x25_sk(s)->cudmatchlength)) == 0) { x25_sk(s)->cudmatchlength)) == 0) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment