linux_dsm_epyc7002/net
Dan Carpenter 6ee50c8e26 net/x25: prevent a couple of overflows
The .x25_addr[] address comes from the user and is not necessarily
NUL terminated.  This leads to a couple problems.  The first problem is
that the strlen() in x25_bind() can read beyond the end of the buffer.

The second problem is more subtle and could result in memory corruption.
The call tree is:
  x25_connect()
  --> x25_write_internal()
      --> x25_addr_aton()

The .x25_addr[] buffers are copied to the "addresses" buffer from
x25_write_internal() so it will lead to stack corruption.

Verify that the strings are NUL terminated and return -EINVAL if they
are not.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Fixes: a9288525d2 ("X25: Dont let x25_bind use addresses containing characters")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-12-02 17:26:36 -08:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25
batman-adv batman-adv: Don't always reallocate the fragmentation skb head 2020-11-27 08:02:55 +01:00
bluetooth
bpf
bpfilter
bridge netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal 2020-11-28 11:46:51 -08:00
caif
can can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check 2020-11-27 10:49:28 +01:00
ceph
core Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2020-11-28 12:04:57 -08:00
dcb
dccp tcp: fix race condition when creating child sockets from syncookies 2020-11-23 16:32:33 -08:00
decnet
dns_resolver
dsa
ethernet
ethtool
hsr
ieee802154
ife
ipv4 ipv4: Fix tos mask in inet_rtm_getroute() 2020-11-28 13:14:23 -08:00
ipv6 net: ip6_gre: set dev->hard_header_len when using header_ops 2020-12-02 11:16:12 -08:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-11-21 14:43:45 -08:00
kcm
key
l2tp
l3mdev
lapb
llc
mac80211 mac80211: free sta in sta_info_insert_finish() on errors 2020-11-13 09:48:32 +01:00
mac802154
mpls
mptcp mptcp: fix NULL ptr dereference on bad MPJ 2020-11-27 11:05:31 -08:00
ncsi
netfilter netfilter: nftables_offload: build mask based from the matching bytes 2020-11-27 12:10:47 +01:00
netlabel netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() 2020-11-14 12:07:57 -08:00
netlink
netrom
nfc
nsh
openvswitch net: openvswitch: fix TTL decrement action netlink message format 2020-11-27 11:03:06 -08:00
packet net/packet: fix packet receive on L3 devices without visible hard header 2020-11-23 17:29:36 -08:00
phonet
psample
qrtr
rds
rfkill
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc
sched
sctp sctp: change to hold/put transport for proto_unreach_timer 2020-11-14 11:57:12 -08:00
smc net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() 2020-11-19 10:59:19 -08:00
strparser
sunrpc
switchdev
tipc tipc: fix incompatible mtu of transmission 2020-12-01 15:26:57 -08:00
tls net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-11-25 17:31:06 -08:00
unix
vmw_vsock vsock/virtio: discard packets only when socket is really closed 2020-11-23 16:36:29 -08:00
wimax
wireless
x25 net/x25: prevent a couple of overflows 2020-12-02 17:26:36 -08:00
xdp net, xsk: Avoid taking multiple skbuff references 2020-11-24 22:39:56 +01:00
xfrm
compat.c
devres.c
Kconfig
Makefile
socket.c
sysctl_net.c