There is a lack of much validation of frame size coming from a netrom-based device. While these devices are "trusted" doing some sanity checks is good to at least keep the fuzzing tools happy when they stumble across this ancient protocol and light up with a range of bug reports. Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Simon Horman Cc: linux-hams@vger.kernel.org Assisted-by: gregkh_clanker_2000 Reviewed-by: Yizhe Zhuang Cc: stable Signed-off-by: Greg Kroah-Hartman --- net/netrom/af_netrom.c | 6 ++++++ net/netrom/nr_route.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index b816c56124ab..b605891bf86e 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -885,6 +885,9 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) * skb->data points to the netrom frame start */ + if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN) + return 0; + src = (ax25_address *)(skb->data + 0); dest = (ax25_address *)(skb->data + 7); @@ -963,6 +966,9 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) sk = nr_find_listener(dest); + if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN + 1 + AX25_ADDR_LEN) + return 0; + user = (ax25_address *)(skb->data + 21); if (sk == NULL || sk_acceptq_is_full(sk) || diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index 9cc29ae85b06..bf60f5682a4f 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -755,10 +755,10 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) struct sk_buff *nskb, *oskb; /* - * Reject malformed packets early. Check that it contains at least 2 - * addresses and 1 byte more for Time-To-Live + * Reject malformed packets early. Check that it contains at least + * the network and transport headers (20 bytes). */ - if (skb->len < 2 * sizeof(ax25_address) + 1) + if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN) return 0; nr_src = (ax25_address *)(skb->data + 0); -- 2.53.0