net/x25: Fix overflow when accumulating packets

Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Suggested-by: Yiming Qian <yimingqian591@gmail.com> Signed-off-by: Martin Schiller <ms@dev.tdt.de> Link: https://patch.msgid.link/20260331-x25_fraglen-v4-2-3e69f18464b4@dev.tdt.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-03-31 09:43:18 +02:00 · 2026-03-31 09:43:18 +02:00 · a1822cb524
parent d10a26aa4d
commit a1822cb524
2 changed files with 5 additions and 0 deletions
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@ -34,6 +34,10 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
 	struct sk_buff *skbo, *skbn = skb;
 	struct x25_sock *x25 = x25_sk(sk);

+	/* make sure we don't overflow */
+	if (x25->fraglen + skb->len > USHRT_MAX)
+		return 1;
+
 	if (more) {
 		x25->fraglen += skb->len;
 		skb_queue_tail(&x25->fragment_queue, skb);
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)
 	skb_queue_purge(&x25->interrupt_in_queue);
 	skb_queue_purge(&x25->interrupt_out_queue);
 	skb_queue_purge(&x25->fragment_queue);
+	x25->fraglen = 0;
 }