diff options
| -rw-r--r-- | net/x25/af_x25.c | 6 | ||||
| -rw-r--r-- | net/x25/x25_in.c | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index d30615419b4d..a4bd1720e39b 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c | |||
| @@ -959,6 +959,12 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb, | |||
| 959 | skb_pull(skb,len); | 959 | skb_pull(skb,len); |
| 960 | 960 | ||
| 961 | /* | 961 | /* |
| 962 | * Ensure that the amount of call user data is valid. | ||
| 963 | */ | ||
| 964 | if (skb->len > X25_MAX_CUD_LEN) | ||
| 965 | goto out_clear_request; | ||
| 966 | |||
| 967 | /* | ||
| 962 | * Find a listener for the particular address/cud pair. | 968 | * Find a listener for the particular address/cud pair. |
| 963 | */ | 969 | */ |
| 964 | sk = x25_find_listener(&source_addr,skb); | 970 | sk = x25_find_listener(&source_addr,skb); |
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c index 0b073b51b183..63488fd4885a 100644 --- a/net/x25/x25_in.c +++ b/net/x25/x25_in.c | |||
| @@ -127,6 +127,9 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp | |||
| 127 | * Copy any Call User Data. | 127 | * Copy any Call User Data. |
| 128 | */ | 128 | */ |
| 129 | if (skb->len > 0) { | 129 | if (skb->len > 0) { |
| 130 | if (skb->len > X25_MAX_CUD_LEN) | ||
| 131 | goto out_clear; | ||
| 132 | |||
| 130 | skb_copy_from_linear_data(skb, | 133 | skb_copy_from_linear_data(skb, |
| 131 | x25->calluserdata.cuddata, | 134 | x25->calluserdata.cuddata, |
| 132 | skb->len); | 135 | skb->len); |