Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a6331d6f authored by andrew hendry's avatar andrew hendry Committed by David S. Miller
Browse files

memory corruption in X.25 facilities parsing 



Signed-of-by: default avatarAndrew Hendry <andrew.hendry@gmail.com>

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 41bb78b4

net/x25/x25_facilities.c

+4 −4
Original line number Diff line number Diff line
@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, 
		case X25_FAC_CLASS_D:

			switch (*p) {

			case X25_FAC_CALLING_AE:

				if (p[1] > X25_MAX_DTE_FACIL_LEN)

					break;

				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)

					return 0;

				dte_facs->calling_len = p[2];

				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);

				*vc_fac_mask |= X25_MASK_CALLING_AE;

				break;

			case X25_FAC_CALLED_AE:

				if (p[1] > X25_MAX_DTE_FACIL_LEN)

					break;

				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)

					return 0;

				dte_facs->called_len = p[2];

				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);

				*vc_fac_mask |= X25_MASK_CALLED_AE;

net/x25/x25_in.c

+2 −0
Original line number Diff line number Diff line
@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp 
						&x25->vc_facil_mask);

			if (len > 0)

				skb_pull(skb, len);

			else

				return -1;

			/*

			 *	Copy any Call User Data.

			 */