The ax25_cb fragmentation reassembly accumulator: ax25->fraglen += skb->len; operates on the unsigned short field 'fraglen' declared in ax25_cb: unsigned short paclen, fragno, fraglen; When fragments accumulate with a combined payload exceeding 65535 bytes, fraglen wraps to near zero. The subsequent allocation: skb = alloc_skb(AX25_MAX_HEADER_LEN + ax25->fraglen, GFP_ATOMIC); then allocates a tiny buffer. Every skb_put() call in the copy loop that follows writes far beyond the allocated headroom, corrupting the kernel heap. An attacker on an AX.25 link that supports multi-fragment I-frames (AX25_SEG_FIRST / AX25_SEG_REM mechanism) can trigger this by sending enough continuation fragments to wrap the 16-bit counter. With AX.25 segment numbers limited to 6 bits (max 63 continuation fragments), a fragment payload of ~1040 bytes per fragment is sufficient to overflow. Fix mirrors the identical bug fixed in NET/ROM (nr_in.c): check for overflow before adding skb->len to fraglen, and abort fragment reassembly cleanly if the limit would be exceeded. Cc: stable@vger.kernel.org Cc: linux-hams@vger.kernel.org Signed-off-by: Mashiro Chen --- net/ax25/ax25_in.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c index d75b3e9ed93de8..68202c19b19e3f 100644 --- a/net/ax25/ax25_in.c +++ b/net/ax25/ax25_in.c @@ -41,6 +41,11 @@ static int ax25_rx_fragment(ax25_cb *ax25, struct sk_buff *skb) /* Enqueue fragment */ ax25->fragno = *skb->data & AX25_SEG_REM; skb_pull(skb, 1); /* skip fragno */ + if ((unsigned int)ax25->fraglen + skb->len > USHRT_MAX) { + skb_queue_purge(&ax25->frag_queue); + ax25->fragno = 0; + return 1; + } ax25->fraglen += skb->len; skb_queue_tail(&ax25->frag_queue, skb); -- 2.53.0