Commit a80a014f authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge branch 'net-x25-fix-overflow-and-double-free' 



Martin Schiller says:

====================
net/x25: Fix overflow and double free

This patch set includes 2 fixes:

The first removes a potential double free of received skb
The second fixes an overflow when accumulating packets with the more-bit
set.

Signed-off-by: default avatarMartin Schiller <ms@dev.tdt.de>
====================

Link: https://patch.msgid.link/20260331-x25_fraglen-v4-0-3e69f18464b4@dev.tdt.de


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 9351edf6 a1822cb5

net/x25/x25_in.c

+6 −3
Original line number Diff line number Diff line
@@ -34,6 +34,10 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) 
	struct sk_buff *skbo, *skbn = skb;

	struct x25_sock *x25 = x25_sk(sk);



	/* make sure we don't overflow */

	if (x25->fraglen + skb->len > USHRT_MAX)

		return 1;



	if (more) {

		x25->fraglen += skb->len;

		skb_queue_tail(&x25->fragment_queue, skb);
@@ -44,10 +48,9 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) 
	if (x25->fraglen > 0) {	/* End of fragment */

		int len = x25->fraglen + skb->len;



		if ((skbn = alloc_skb(len, GFP_ATOMIC)) == NULL){

			kfree_skb(skb);

		skbn = alloc_skb(len, GFP_ATOMIC);

		if (!skbn)

			return 1;

		}



		skb_queue_tail(&x25->fragment_queue, skb);

net/x25/x25_subr.c

+1 −0
Original line number Diff line number Diff line
@@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk) 
	skb_queue_purge(&x25->interrupt_in_queue);

	skb_queue_purge(&x25->interrupt_out_queue);

	skb_queue_purge(&x25->fragment_queue);

	x25->fraglen = 0;

}