6ee50c8e26
The .x25_addr[] address comes from the user and is not necessarily NUL terminated. This leads to a couple problems. The first problem is that the strlen() in x25_bind() can read beyond the end of the buffer. The second problem is more subtle and could result in memory corruption. The call tree is: x25_connect() --> x25_write_internal() --> x25_addr_aton() The .x25_addr[] buffers are copied to the "addresses" buffer from x25_write_internal() so it will lead to stack corruption. Verify that the strings are NUL terminated and return -EINVAL if they are not. Fixes: |
||
---|---|---|
.. | ||
af_x25.c | ||
Kconfig | ||
Makefile | ||
sysctl_net_x25.c | ||
x25_dev.c | ||
x25_facilities.c | ||
x25_forward.c | ||
x25_in.c | ||
x25_link.c | ||
x25_out.c | ||
x25_proc.c | ||
x25_route.c | ||
x25_subr.c | ||
x25_timer.c |