x25: Handle undersized/fragmented skbs

There are multiple locations in the X.25 packet layer where a skb is assumed to be of at least a certain size and that all its data is currently available at skb->data. These assumptions are not checked, hence buffer overreads may occur. Use pskb_may_pull to check these minimal size assumptions and ensure that data is available at skb->data when necessary, as well as use skb_copy_bits where needed. Signed-off-by: Matthew Daley <mattjd@gmail.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Andrew Hendry <andrew.hendry@gmail.com> Cc: stable <stable@kernel.org> Acked-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Matthew Daley <mattjd@gmail.com> 2011-10-14 18:45:04 +0000
committer: David S. Miller <davem@davemloft.net> 2011-10-17 19:31:39 -0400
commit: cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df (patch)
tree: 3d266ac18673ebc85a99e4d10d8d381ff1ebd782 /net/x25/x25_link.c
parent: c7fd0d48bde943e228e9c28ce971a22d6a1744c4 (diff)
download: linux-cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 037958ff8eed..4acacf3c6617 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -90,6 +90,9 @@ void x25_link_control(struct sk_buff *skb, struct x25_neigh *nb,
 		break;
 
 	case X25_DIAGNOSTIC:
+		if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 4))
+			break;
+
 		printk(KERN_WARNING "x25: diagnostic #%d - %02X %02X %02X\n",
 		       skb->data[3], skb->data[4],
 		       skb->data[5], skb->data[6]);
author	Matthew Daley <mattjd@gmail.com>	2011-10-14 18:45:04 +0000
committer	David S. Miller <davem@davemloft.net>	2011-10-17 19:31:39 -0400
commit	cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df (patch)
tree	3d266ac18673ebc85a99e4d10d8d381ff1ebd782 /net/x25/x25_link.c
parent	c7fd0d48bde943e228e9c28ce971a22d6a1744c4 (diff)
download	linux-cb101ed2c3c7c0224d16953fe77bfb9d6c2cb9df.tar.gz