AX.25: Prevent integer overflows in connect and sendmsg

[linux-2.6-microblaze.git] / net / ax25 / af_ax25.c

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index fd91cd3..dec3f35 100644 (file)
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1187,7 +1187,10 @@ static int __must_check ax25_connect(struct socket *sock,
        if (addr_len > sizeof(struct sockaddr_ax25) &&
            fsa->fsa_ax25.sax25_ndigis != 0) {
                /* Valid number of digipeaters ? */
-               if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) {
+               if (fsa->fsa_ax25.sax25_ndigis < 1 ||
+                   fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||
+                   addr_len < sizeof(struct sockaddr_ax25) +
+                   sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
                        err = -EINVAL;
                        goto out_release;
                }
@@ -1507,7 +1510,10 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
                        struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;
 
                        /* Valid number of digipeaters ? */
-                       if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {
+                       if (usax->sax25_ndigis < 1 ||
+                           usax->sax25_ndigis > AX25_MAX_DIGIS ||
+                           addr_len < sizeof(struct sockaddr_ax25) +
+                           sizeof(ax25_address) * usax->sax25_ndigis) {
                                err = -EINVAL;
                                goto out;
                        }