summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2009-03-27 00:28:21 -0700
committerDavid S. Miller <davem@davemloft.net>2009-03-27 00:28:21 -0700
commit83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 (patch)
treede3f516afc1878914855c9393b1e08c698ac378c /net
parent03ba999117eb8688252f9068356b6e028c2c3a56 (diff)
downloadlinux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.gz
linux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.bz2
linux-stable-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.zip
af_rose/x25: Sanity check the maximum user frame size
Otherwise we can wrap the sizes and end up sending garbage. Closes #10423 Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netrom/af_netrom.c6
-rw-r--r--net/rose/af_rose.c4
-rw-r--r--net/x25/af_x25.c6
3 files changed, 15 insertions, 1 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 6d9c58ec56ac..d1c16bbee932 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
- /* Build a packet */
+ /* Build a packet - the conventional user limit is 236 bytes. We can
+ do ludicrously large NetROM frames but must not overflow */
+ if (len > 65536)
+ return -EMSGSIZE;
+
SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 650139626581..0f36e8d59b29 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
/* Build a packet */
SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
+ /* Sanity check the packet size */
+ if (len > 65535)
+ return -EMSGSIZE;
+
size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 9ca17b1ce52e..ed80af8ca5fb 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1035,6 +1035,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
sx25.sx25_addr = x25->dest_addr;
}
+ /* Sanity check the packet size */
+ if (len > 65535) {
+ rc = -EMSGSIZE;
+ goto out;
+ }
+
SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
/* Build a packet */