| From 7f81e25befdfb3272345a2e775f520e1d515fa20 Mon Sep 17 00:00:00 2001 |
| From: Matthew Daley <mattjd@gmail.com> |
| Date: Fri, 14 Oct 2011 18:45:05 +0000 |
| Subject: x25: Prevent skb overreads when checking call user data |
| |
| From: Matthew Daley <mattjd@gmail.com> |
| |
| commit 7f81e25befdfb3272345a2e775f520e1d515fa20 upstream. |
| |
| x25_find_listener does not check that the amount of call user data given |
| in the skb is big enough in per-socket comparisons, hence buffer |
| overreads may occur. Fix this by adding a check. |
| |
| Signed-off-by: Matthew Daley <mattjd@gmail.com> |
| Cc: Eric Dumazet <eric.dumazet@gmail.com> |
| Cc: Andrew Hendry <andrew.hendry@gmail.com> |
| Acked-by: Andrew Hendry <andrew.hendry@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/x25/af_x25.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/net/x25/af_x25.c |
| +++ b/net/x25/af_x25.c |
| @@ -294,7 +294,8 @@ static struct sock *x25_find_listener(st |
| * Found a listening socket, now check the incoming |
| * call user data vs this sockets call user data |
| */ |
| - if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { |
| + if (x25_sk(s)->cudmatchlength > 0 && |
| + skb->len >= x25_sk(s)->cudmatchlength) { |
| if((memcmp(x25_sk(s)->calluserdata.cuddata, |
| skb->data, |
| x25_sk(s)->cudmatchlength)) == 0) { |