diff options
| author | Paolo Abeni <pabeni@redhat.com> | 2026-04-02 13:36:10 +0200 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2026-04-02 13:36:10 +0200 |
| commit | a80a014f83bded5a2f498c22b4a06a7a31256f98 (patch) | |
| tree | 2848b3b99fd5a54942cadc15c619b73e0f16f358 | |
| parent | 9351edf65cb6ba10564f9c81e3c52cf97f4b2a81 (diff) | |
| parent | a1822cb524e89b4cd2cf0b82e484a2335496a6d9 (diff) | |
Merge branch 'net-x25-fix-overflow-and-double-free'
Martin Schiller says:
====================
net/x25: Fix overflow and double free
This patch set includes 2 fixes:
The first removes a potential double free of received skb
The second fixes an overflow when accumulating packets with the more-bit
set.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
====================
Link: https://patch.msgid.link/20260331-x25_fraglen-v4-0-3e69f18464b4@dev.tdt.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
| -rw-r--r-- | net/x25/x25_in.c | 9 | ||||
| -rw-r--r-- | net/x25/x25_subr.c | 1 |
2 files changed, 7 insertions, 3 deletions
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c index b981a4828d08..e47ebd8acd21 100644 --- a/net/x25/x25_in.c +++ b/net/x25/x25_in.c @@ -34,6 +34,10 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) struct sk_buff *skbo, *skbn = skb; struct x25_sock *x25 = x25_sk(sk); + /* make sure we don't overflow */ + if (x25->fraglen + skb->len > USHRT_MAX) + return 1; + if (more) { x25->fraglen += skb->len; skb_queue_tail(&x25->fragment_queue, skb); @@ -44,10 +48,9 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) if (x25->fraglen > 0) { /* End of fragment */ int len = x25->fraglen + skb->len; - if ((skbn = alloc_skb(len, GFP_ATOMIC)) == NULL){ - kfree_skb(skb); + skbn = alloc_skb(len, GFP_ATOMIC); + if (!skbn) return 1; - } skb_queue_tail(&x25->fragment_queue, skb); diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c index 0285aaa1e93c..159708d9ad20 100644 --- a/net/x25/x25_subr.c +++ b/net/x25/x25_subr.c @@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk) skb_queue_purge(&x25->interrupt_in_queue); skb_queue_purge(&x25->interrupt_out_queue); skb_queue_purge(&x25->fragment_queue); + x25->fraglen = 0; } |