diff --git a/[refs] b/[refs]
index 42247e852f26..998ce6424ae5 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: f36c23bb9f822904dacf83a329518d0a5fde7968
+refs/heads/master: c7fd0d48bde943e228e9c28ce971a22d6a1744c4
diff --git a/trunk/net/x25/af_x25.c b/trunk/net/x25/af_x25.c
index d30615419b4d..a4bd1720e39b 100644
--- a/trunk/net/x25/af_x25.c
+++ b/trunk/net/x25/af_x25.c
@@ -958,6 +958,12 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
 		goto out_clear_request;
 	skb_pull(skb,len);
 
+	/*
+	 *	Ensure that the amount of call user data is valid.
+	 */
+	if (skb->len > X25_MAX_CUD_LEN)
+		goto out_clear_request;
+
 	/*
 	 *	Find a listener for the particular address/cud pair.
 	 */
diff --git a/trunk/net/x25/x25_in.c b/trunk/net/x25/x25_in.c
index 0b073b51b183..63488fd4885a 100644
--- a/trunk/net/x25/x25_in.c
+++ b/trunk/net/x25/x25_in.c
@@ -127,6 +127,9 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
 		 *	Copy any Call User Data.
 		 */
 		if (skb->len > 0) {
+			if (skb->len > X25_MAX_CUD_LEN)
+				goto out_clear;
+
 			skb_copy_from_linear_data(skb,
 						  x25->calluserdata.cuddata,
 						  skb->len);