[APPLETALK]: Fix a remotely triggerable crash

[linux-2.6-omap-h63xx.git] / net / appletalk / ddp.c

diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 113c175f171586242370c5e006f36c5c07bd4724..c8b7dc2c3257f6ac9d936eabf8a4f75ba660b1c4 100644 (file)
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
        /*
         * Size check to see if ddp->deh_len was crap
         * (Otherwise we'll detonate most spectacularly
-        * in the middle of recvmsg()).
+        * in the middle of atalk_checksum() or recvmsg()).
         */
-       if (skb->len < sizeof(*ddp))
+       if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
+               pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
+                        "skb->len=%u)\n", len_hops & 1023, skb->len);
                goto freeit;
+       }
 
        /*
         * Any checksums. Note we don't do htons() on this == is assumed to be