Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c8a826b2 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

AX.25: Prevent integer overflows in connect and sendmsg 



[ Upstream commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d ]

We recently added some bounds checking in ax25_connect() and
ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because
they were no longer required.

Unfortunately, I believe they are required to prevent integer overflows
so I have added them back.

Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()")
Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8209bd62

net/ax25/af_ax25.c

+4 −1
Original line number Diff line number Diff line
@@ -1192,6 +1192,7 @@ static int __must_check ax25_connect(struct socket *sock, 
	    fsa->fsa_ax25.sax25_ndigis != 0) {

		/* Valid number of digipeaters ? */

		if (fsa->fsa_ax25.sax25_ndigis < 1 ||

		    fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||

		    addr_len < sizeof(struct sockaddr_ax25) +

		    sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {

			err = -EINVAL;
@@ -1512,7 +1513,9 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) 
			struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;



			/* Valid number of digipeaters ? */

			if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) +

			if (usax->sax25_ndigis < 1 ||

			    usax->sax25_ndigis > AX25_MAX_DIGIS ||

			    addr_len < sizeof(struct sockaddr_ax25) +

			    sizeof(ax25_address) * usax->sax25_ndigis) {

				err = -EINVAL;

				goto out;