diff options
| author | Matthew Daley <mattjd@gmail.com> | 2011-10-14 14:45:04 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-10-17 19:31:39 -0400 |
| commit | cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df (patch) | |
| tree | 3d266ac18673ebc85a99e4d10d8d381ff1ebd782 /net/x25/x25_subr.c | |
| parent | c7fd0d48bde943e228e9c28ce971a22d6a1744c4 (diff) | |
x25: Handle undersized/fragmented skbs
There are multiple locations in the X.25 packet layer where a skb is
assumed to be of at least a certain size and that all its data is
currently available at skb->data. These assumptions are not checked,
hence buffer overreads may occur. Use pskb_may_pull to check these
minimal size assumptions and ensure that data is available at skb->data
when necessary, as well as use skb_copy_bits where needed.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/x25/x25_subr.c')
| -rw-r--r-- | net/x25/x25_subr.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c index 24a342ebc7f5..5170d52bfd96 100644 --- a/net/x25/x25_subr.c +++ b/net/x25/x25_subr.c | |||
| @@ -269,7 +269,11 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q, | |||
| 269 | int *d, int *m) | 269 | int *d, int *m) |
| 270 | { | 270 | { |
| 271 | struct x25_sock *x25 = x25_sk(sk); | 271 | struct x25_sock *x25 = x25_sk(sk); |
| 272 | unsigned char *frame = skb->data; | 272 | unsigned char *frame; |
| 273 | |||
| 274 | if (!pskb_may_pull(skb, X25_STD_MIN_LEN)) | ||
| 275 | return X25_ILLEGAL; | ||
| 276 | frame = skb->data; | ||
| 273 | 277 | ||
| 274 | *ns = *nr = *q = *d = *m = 0; | 278 | *ns = *nr = *q = *d = *m = 0; |
| 275 | 279 | ||
| @@ -294,6 +298,10 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q, | |||
| 294 | if (frame[2] == X25_RR || | 298 | if (frame[2] == X25_RR || |
| 295 | frame[2] == X25_RNR || | 299 | frame[2] == X25_RNR || |
| 296 | frame[2] == X25_REJ) { | 300 | frame[2] == X25_REJ) { |
| 301 | if (!pskb_may_pull(skb, X25_EXT_MIN_LEN)) | ||
| 302 | return X25_ILLEGAL; | ||
| 303 | frame = skb->data; | ||
| 304 | |||
| 297 | *nr = (frame[3] >> 1) & 0x7F; | 305 | *nr = (frame[3] >> 1) & 0x7F; |
| 298 | return frame[2]; | 306 | return frame[2]; |
| 299 | } | 307 | } |
| @@ -308,6 +316,10 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q, | |||
| 308 | 316 | ||
| 309 | if (x25->neighbour->extended) { | 317 | if (x25->neighbour->extended) { |
| 310 | if ((frame[2] & 0x01) == X25_DATA) { | 318 | if ((frame[2] & 0x01) == X25_DATA) { |
| 319 | if (!pskb_may_pull(skb, X25_EXT_MIN_LEN)) | ||
| 320 | return X25_ILLEGAL; | ||
| 321 | frame = skb->data; | ||
| 322 | |||
| 311 | *q = (frame[0] & X25_Q_BIT) == X25_Q_BIT; | 323 | *q = (frame[0] & X25_Q_BIT) == X25_Q_BIT; |
| 312 | *d = (frame[0] & X25_D_BIT) == X25_D_BIT; | 324 | *d = (frame[0] & X25_D_BIT) == X25_D_BIT; |
| 313 | *m = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT; | 325 | *m = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT; |