x25: Handle undersized/fragmented skbs
There are multiple locations in the X.25 packet layer where a skb is assumed to be of at least a certain size and that all its data is currently available at skb->data. These assumptions are not checked, hence buffer overreads may occur. Use pskb_may_pull to check these minimal size assumptions and ensure that data is available at skb->data when necessary, as well as use skb_copy_bits where needed. Signed-off-by: Matthew Daley <mattjd@gmail.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Andrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Acked-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Matthew Daley
committed by
David S. Miller
David S. Miller
parent
c7fd0d48bd
commit
cb101ed2c3
@ -32,6 +32,9 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb)
|
||||
unsigned short frametype;
|
||||
unsigned int lci;
|
||||
|
||||
if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
|
||||
return 0;
|
||||
|
||||
frametype = skb->data[2];
|
||||
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
|
||||
|
||||
@ -115,6 +118,9 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
|
||||
goto drop;
|
||||
}
|
||||
|
||||
if (!pskb_may_pull(skb, 1))
|
||||
return 0;
|
||||
|
||||
switch (skb->data[0]) {
|
||||
|
||||
case X25_IFACE_DATA:
|
||||
|
||||
Reference in New Issue
Block a user