Commit 7f81e25b authored Oct 14, 2011 by Matthew Daley Committed by David S. Miller Oct 17, 2011

x25: Prevent skb overreads when checking call user data

x25_find_listener does not check that the amount of call user data given
in the skb is big enough in per-socket comparisons, hence buffer
overreads may occur.  Fix this by adding a check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent cb101ed2

net/x25/af_x25.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -295,7 +295,8 @@ static struct sock x25_find_listener(struct x25_address addr,
		* Found a listening socket, now check the incoming
		* call user data vs this sockets call user data
		*/
		if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
		if (x25_sk(s)->cudmatchlength > 0 &&
		skb->len >= x25_sk(s)->cudmatchlength) {
		if((memcmp(x25_sk(s)->calluserdata.cuddata,
		skb->data,
		x25_sk(s)->cudmatchlength)) == 0) {