diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-09-03 12:03:40 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-09-04 00:27:27 -0400 |
commit | 80aa4e10963cc7d9b5dd5b2568ce28d74af20bf9 (patch) | |
tree | 5c864aa3c95f575287ea2f37da2e0589f85a1c1c | |
parent | cab6ce9ebe89303bbf5eff442776188070a22771 (diff) | |
download | linux-80aa4e10963cc7d9b5dd5b2568ce28d74af20bf9.tar.gz linux-80aa4e10963cc7d9b5dd5b2568ce28d74af20bf9.tar.bz2 linux-80aa4e10963cc7d9b5dd5b2568ce28d74af20bf9.zip |
x25: add a sanity check parsing X.25 facilities
This was found with a manual audit and I don't have a reproducer. We
limit ->calling_len and ->called_len when we get them from
copy_from_user() in x25_ioctl() so when they come from skb->data then
we should cap them there as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/x25/x25_facilities.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 66c638730c7a..b8253250d723 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -156,6 +156,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, case X25_FAC_CALLING_AE: if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) return -1; + if (p[2] > X25_MAX_AE_LEN) + return -1; dte_facs->calling_len = p[2]; memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); *vc_fac_mask |= X25_MASK_CALLING_AE; @@ -163,6 +165,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, case X25_FAC_CALLED_AE: if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) return -1; + if (p[2] > X25_MAX_AE_LEN) + return -1; dte_facs->called_len = p[2]; memcpy(dte_facs->called_ae, &p[3], p[1] - 1); *vc_fac_mask |= X25_MASK_CALLED_AE; |