From: Matthew Daley <mattjd@gmail.com>
Date: Fri, 14 Oct 2011 18:45:05 +0000 (+0000)
Subject: x25: Prevent skb overreads when checking call user data
X-Git-Tag: firefly_0821_release~3680^2~4349^2~15
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7f81e25befdfb3272345a2e775f520e1d515fa20;p=firefly-linux-kernel-4.4.55.git

x25: Prevent skb overreads when checking call user data

x25_find_listener does not check that the amount of call user data given
in the skb is big enough in per-socket comparisons, hence buffer
overreads may occur.  Fix this by adding a check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index aa567b09ea9a..5f03e4ea65bf 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr,
 			 * Found a listening socket, now check the incoming
 			 * call user data vs this sockets call user data
 			 */
-			if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
+			if (x25_sk(s)->cudmatchlength > 0 &&
+				skb->len >= x25_sk(s)->cudmatchlength) {
 				if((memcmp(x25_sk(s)->calluserdata.cuddata,
 					skb->data,
 					x25_sk(s)->cudmatchlength)) == 0) {