summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2020-07-23 17:49:57 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-07-31 18:39:31 +0200
commitbbf6af4a938a4b6f139440e6d8cd8cb76379962d (patch)
tree786fddce6ffc18bc57b60a6a721ab833dafde6a8
parent182ffc66456b20530def3b2d4f6b9a07545ac475 (diff)
downloadlinux-stable-bbf6af4a938a4b6f139440e6d8cd8cb76379962d.tar.gz
linux-stable-bbf6af4a938a4b6f139440e6d8cd8cb76379962d.tar.bz2
linux-stable-bbf6af4a938a4b6f139440e6d8cd8cb76379962d.zip
AX.25: Prevent integer overflows in connect and sendmsg
[ Upstream commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d ] We recently added some bounds checking in ax25_connect() and ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because they were no longer required. Unfortunately, I believe they are required to prevent integer overflows so I have added them back. Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()") Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--net/ax25/af_ax25.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index dbe7ef2c7e75..2fdb1b573e8c 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1188,6 +1188,7 @@ static int __must_check ax25_connect(struct socket *sock,
fsa->fsa_ax25.sax25_ndigis != 0) {
/* Valid number of digipeaters ? */
if (fsa->fsa_ax25.sax25_ndigis < 1 ||
+ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||
addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
err = -EINVAL;
@@ -1509,7 +1510,9 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
/* Valid number of digipeaters ? */
- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +
+ if (usax->sax25_ndigis < 1 ||
+ usax->sax25_ndigis > AX25_MAX_DIGIS ||
+ addr_len < sizeof(struct sockaddr_ax25) +
sizeof(ax25_address) * usax->sax25_ndigis) {
err = -EINVAL;
goto out;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 17:37:47 +0000