summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net/x25/af_x25.c6
-rw-r--r--net/x25/x25_in.c3
2 files changed, 9 insertions, 0 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 373e14f21a17..8c0346f00e68 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -960,6 +960,12 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
skb_pull(skb,len);
/*
+ * Ensure that the amount of call user data is valid.
+ */
+ if (skb->len > X25_MAX_CUD_LEN)
+ goto out_clear_request;
+
+ /*
* Find a listener for the particular address/cud pair.
*/
sk = x25_find_listener(&source_addr,skb);
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 15de65f04719..b1180cc28669 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -127,6 +127,9 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
* Copy any Call User Data.
*/
if (skb->len > 0) {
+ if (skb->len > X25_MAX_CUD_LEN)
+ goto out_clear;
+
skb_copy_from_linear_data(skb,
x25->calluserdata.cuddata,
skb->len);