[PATCH net] net: ax25: fix integer overflow in ax25_rx_fragment()
From: Mashiro Chen
Date: Wed Apr 08 2026 - 13:29:22 EST
The ax25_cb fragmentation reassembly accumulator:
ax25->fraglen += skb->len;
operates on the unsigned short field 'fraglen' declared in ax25_cb:
unsigned short paclen, fragno, fraglen;
When fragments accumulate with a combined payload exceeding 65535
bytes, fraglen wraps to near zero. The subsequent allocation:
skb = alloc_skb(AX25_MAX_HEADER_LEN + ax25->fraglen, GFP_ATOMIC);
then allocates a tiny buffer. Every skb_put() call in the copy loop
that follows writes far beyond the allocated headroom, corrupting
the kernel heap.
An attacker on an AX.25 link that supports multi-fragment I-frames
(AX25_SEG_FIRST / AX25_SEG_REM mechanism) can trigger this by
sending enough continuation fragments to wrap the 16-bit counter.
With AX.25 segment numbers limited to 6 bits (max 63 continuation
fragments), a fragment payload of ~1040 bytes per fragment is
sufficient to overflow.
Fix mirrors the identical bug fixed in NET/ROM (nr_in.c): check for
overflow before adding skb->len to fraglen, and abort fragment
reassembly cleanly if the limit would be exceeded.
Cc: stable@xxxxxxxxxxxxxxx
Cc: linux-hams@xxxxxxxxxxxxxxx
Signed-off-by: Mashiro Chen <mashiro.chen@xxxxxxxxxxx>
---
net/ax25/ax25_in.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index d75b3e9ed93de8..68202c19b19e3f 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -41,6 +41,11 @@ static int ax25_rx_fragment(ax25_cb *ax25, struct sk_buff *skb)
/* Enqueue fragment */
ax25->fragno = *skb->data & AX25_SEG_REM;
skb_pull(skb, 1); /* skip fragno */
+ if ((unsigned int)ax25->fraglen + skb->len > USHRT_MAX) {
+ skb_queue_purge(&ax25->frag_queue);
+ ax25->fragno = 0;
+ return 1;
+ }
ax25->fraglen += skb->len;
skb_queue_tail(&ax25->frag_queue, skb);
--
2.53.0