-
由 Dan Carpenter 提交于
The .x25_addr[] address comes from the user and is not necessarily NUL terminated. This leads to a couple problems. The first problem is that the strlen() in x25_bind() can read beyond the end of the buffer. The second problem is more subtle and could result in memory corruption. The call tree is: x25_connect() --> x25_write_internal() --> x25_addr_aton() The .x25_addr[] buffers are copied to the "addresses" buffer from x25_write_internal() so it will lead to stack corruption. Verify that the strings are NUL terminated and return -EINVAL if they are not. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Fixes: a9288525 ("X25: Dont let x25_bind use addresses containing characters") Reported-by: N"kiyin(尹亮)" <kiyin@tencent.com> Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Acked-by: NMartin Schiller <ms@dev.tdt.de> Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwandaSigned-off-by: NJakub Kicinski <kuba@kernel.org>
6ee50c8e