diff options
| -rw-r--r-- | net/x25/af_x25.c | 6 | ||||
| -rw-r--r-- | net/x25/x25_in.c | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index d30615419b4..a4bd1720e39 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -959,6 +959,12 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb, skb_pull(skb,len); /* + * Ensure that the amount of call user data is valid. + */ + if (skb->len > X25_MAX_CUD_LEN) + goto out_clear_request; + + /* * Find a listener for the particular address/cud pair. */ sk = x25_find_listener(&source_addr,skb); diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c index 0b073b51b18..63488fd4885 100644 --- a/net/x25/x25_in.c +++ b/net/x25/x25_in.c @@ -127,6 +127,9 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp * Copy any Call User Data. */ if (skb->len > 0) { + if (skb->len > X25_MAX_CUD_LEN) + goto out_clear; + skb_copy_from_linear_data(skb, x25->calluserdata.cuddata, skb->len); |