x25: add a sanity check parsing X.25 facilities

This was found with a manual audit and I don't have a reproducer.  We
limit ->calling_len and ->called_len when we get them from
copy_from_user() in x25_ioctl() so when they come from skb->data then
we should cap them there as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 4 insertions, 0 deletions

diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 66c638730c7a..b8253250d723 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -156,6 +156,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                         case X25_FAC_CALLING_AE:
                                 if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
                                         return -1;
+                                if (p[2] > X25_MAX_AE_LEN)
+                                        return -1;
                                 dte_facs->calling_len = p[2];
                                 memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
                                 *vc_fac_mask |= X25_MASK_CALLING_AE;
@@ -163,6 +165,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                         case X25_FAC_CALLED_AE:
                                 if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
                                         return -1;
+                                if (p[2] > X25_MAX_AE_LEN)
+                                        return -1;
                                 dte_facs->called_len = p[2];
                                 memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
                                 *vc_fac_mask |= X25_MASK_CALLED_AE;