diff options
author | Alan Cox <alan@lxorguk.ukuu.org.uk> | 2009-03-27 00:28:21 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-03-27 00:28:21 -0700 |
commit | 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 (patch) | |
tree | de3f516afc1878914855c9393b1e08c698ac378c /net/rose | |
parent | 03ba999117eb8688252f9068356b6e028c2c3a56 (diff) | |
download | linux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.gz linux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.bz2 linux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.zip |
af_rose/x25: Sanity check the maximum user frame size
Otherwise we can wrap the sizes and end up sending garbage.
Closes #10423
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rose')
-rw-r--r-- | net/rose/af_rose.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index 650139626581..0f36e8d59b29 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c @@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock, /* Build a packet */ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); + /* Sanity check the packet size */ + if (len > 65535) + return -EMSGSIZE; + size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) |