net/x25/x25_in.c | 6 ++++++ net/x25/x25_subr.c | 1 + 2 files changed, 7 insertions(+)
Add a check to ensure that `x25_sock.fraglen` does not overflow.
The `fraglen` also needs to be resetted when purging `fragment_queue` in
`x25_clear_queues()`.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
---
net/x25/x25_in.c | 6 ++++++
net/x25/x25_subr.c | 1 +
2 files changed, 7 insertions(+)
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index b981a4828d08c2e6676749a06035910eab01e6cd..1603238d6fff73090ef10b5fd11387b3e7f017a2 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -34,6 +34,12 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
struct sk_buff *skbo, *skbn = skb;
struct x25_sock *x25 = x25_sk(sk);
+ /* make sure we don't overflow */
+ if (x25->fraglen + skb->len > sizeof(x25->fraglen)) {
+ kfree_skb(skb);
+ return 1;
+ }
+
if (more) {
x25->fraglen += skb->len;
skb_queue_tail(&x25->fragment_queue, skb);
diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
index 0285aaa1e93c17233748d38eef6d8b5c6059b67a..159708d9ad20cb2e6db24ead67daf1e9d6258f64 100644
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)
skb_queue_purge(&x25->interrupt_in_queue);
skb_queue_purge(&x25->interrupt_out_queue);
skb_queue_purge(&x25->fragment_queue);
+ x25->fraglen = 0;
}
---
base-commit: 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe
change-id: 20260325-x25_fraglen-8fc240d1edd3
Best regards,
--
Martin Schiller <ms@dev.tdt.de>On 2026-03-27 09:30, Martin Schiller wrote:
> Add a check to ensure that `x25_sock.fraglen` does not overflow.
>
> The `fraglen` also needs to be resetted when purging `fragment_queue`
> in
> `x25_clear_queues()`.
>
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Signed-off-by: Martin Schiller <ms@dev.tdt.de>
> ---
> net/x25/x25_in.c | 6 ++++++
> net/x25/x25_subr.c | 1 +
> 2 files changed, 7 insertions(+)
>
> diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
> index
> b981a4828d08c2e6676749a06035910eab01e6cd..1603238d6fff73090ef10b5fd11387b3e7f017a2
> 100644
> --- a/net/x25/x25_in.c
> +++ b/net/x25/x25_in.c
> @@ -34,6 +34,12 @@ static int x25_queue_rx_frame(struct sock *sk,
> struct sk_buff *skb, int more)
> struct sk_buff *skbo, *skbn = skb;
> struct x25_sock *x25 = x25_sk(sk);
>
> + /* make sure we don't overflow */
> + if (x25->fraglen + skb->len > sizeof(x25->fraglen)) {
Please ignore this patch. I'll send a V2 without that
"sizeof()" nonsense in a moment.
> + kfree_skb(skb);
> + return 1;
> + }
> +
> if (more) {
> x25->fraglen += skb->len;
> skb_queue_tail(&x25->fragment_queue, skb);
> diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
> index
> 0285aaa1e93c17233748d38eef6d8b5c6059b67a..159708d9ad20cb2e6db24ead67daf1e9d6258f64
> 100644
> --- a/net/x25/x25_subr.c
> +++ b/net/x25/x25_subr.c
> @@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)
> skb_queue_purge(&x25->interrupt_in_queue);
> skb_queue_purge(&x25->interrupt_out_queue);
> skb_queue_purge(&x25->fragment_queue);
> + x25->fraglen = 0;
> }
>
>
>
> ---
> base-commit: 4ae97cae07e15d41e5c0ebabba64c6eefdeb0bbe
> change-id: 20260325-x25_fraglen-8fc240d1edd3
>
> Best regards,
On Fri, 27 Mar 2026 09:36:00 +0100 Martin Schiller wrote:
> > + /* make sure we don't overflow */
> > + if (x25->fraglen + skb->len > sizeof(x25->fraglen)) {
>
> Please ignore this patch. I'll send a V2 without that
> "sizeof()" nonsense in a moment.
We ask that submitters wait 24h before reposting:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#tl-dr
--
pv-bot: 24h
© 2016 - 2026 Red Hat, Inc.