net/x25: Fix overflow when accumulating packets

Add a check to ensure that `x25_sock.fraglen` does not overflow.

The `fraglen` also needs to be resetted when purging `fragment_queue` in
`x25_clear_queues()`.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Link: https://patch.msgid.link/20260331-x25_fraglen-v4-2-3e69f18464b4@dev.tdt.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 0dbc73efab1cbd4d98fa77d7a72a2b665203511b..e47ebd8acd21bff8d8fa1f5f48163145e9ac00f2 100644 (file)
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -34,6 +34,10 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
        struct sk_buff *skbo, *skbn = skb;
        struct x25_sock *x25 = x25_sk(sk);
 
+       /* make sure we don't overflow */
+       if (x25->fraglen + skb->len > USHRT_MAX)
+               return 1;
+
        if (more) {
                x25->fraglen += skb->len;
                skb_queue_tail(&x25->fragment_queue, skb);

diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
index 0285aaa1e93c17233748d38eef6d8b5c6059b67a..159708d9ad20cb2e6db24ead67daf1e9d6258f64 100644 (file)
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)
        skb_queue_purge(&x25->interrupt_in_queue);
        skb_queue_purge(&x25->interrupt_out_queue);
        skb_queue_purge(&x25->fragment_queue);
+       x25->fraglen = 0;
 }