net/x25: Fix overflow when accumulating packets

sch-m · Paolo Abeni · commit a1822cb524e8 · 2026-04-02T13:36:08.000+02:00
Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. Fixes: 1da177e ("Linux-2.6.12-rc2") Suggested-by: Yiming Qian <yimingqian591@gmail.com> Signed-off-by: Martin Schiller <ms@dev.tdt.de> Link: https://patch.msgid.link/20260331-x25_fraglen-v4-2-3e69f18464b4@dev.tdt.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
@@ -34,6 +34,10 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more)
 	struct sk_buff *skbo, *skbn = skb;
 	struct x25_sock *x25 = x25_sk(sk);
 
+	/* make sure we don't overflow */
+	if (x25->fraglen + skb->len > USHRT_MAX)
+		return 1;
+
 	if (more) {
 		x25->fraglen += skb->len;
 		skb_queue_tail(&x25->fragment_queue, skb);
diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
@@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)
 	skb_queue_purge(&x25->interrupt_in_queue);
 	skb_queue_purge(&x25->interrupt_out_queue);
 	skb_queue_purge(&x25->fragment_queue);
+	x25->fraglen = 0;
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ void x25_clear_queues(struct sock *sk)`
`40`	`40`	`skb_queue_purge(&x25->interrupt_in_queue);`
`41`	`41`	`skb_queue_purge(&x25->interrupt_out_queue);`
`42`	`42`	`skb_queue_purge(&x25->fragment_queue);`
	`43`	`+ x25->fraglen = 0;`
`43`	`44`	`}`
`44`	`45`
`45`	`46`