summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net/appletalk/ddp.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 113c175..c8b7dc2 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
/*
* Size check to see if ddp->deh_len was crap
* (Otherwise we'll detonate most spectacularly
- * in the middle of recvmsg()).
+ * in the middle of atalk_checksum() or recvmsg()).
*/
- if (skb->len < sizeof(*ddp))
+ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
+ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
+ "skb->len=%u)\n", len_hops & 1023, skb->len);
goto freeit;
+ }
/*
* Any checksums. Note we don't do htons() on this == is assumed to be