diff options
| -rw-r--r-- | net/appletalk/ddp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 697ac55e29dc..5f33e4817a58 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c @@ -1423,10 +1423,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, /* * Size check to see if ddp->deh_len was crap * (Otherwise we'll detonate most spectacularly - * in the middle of recvmsg()). + * in the middle of atalk_checksum() or recvmsg()). */ - if (skb->len < sizeof(*ddp)) + if (skb->len < sizeof(*ddp) || skb->len < ddphv.deh_len) { + pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, " + "skb->len=%u)\n", ddphv.deh_len, skb->len); goto freeit; + } /* * Any checksums. Note we don't do htons() on this == is assumed to be |