diff options
| author | Alan Cox <alan@lxorguk.ukuu.org.uk> | 2009-03-27 03:28:21 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-03-27 03:28:21 -0400 |
| commit | 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 (patch) | |
| tree | de3f516afc1878914855c9393b1e08c698ac378c | |
| parent | 03ba999117eb8688252f9068356b6e028c2c3a56 (diff) | |
af_rose/x25: Sanity check the maximum user frame size
Otherwise we can wrap the sizes and end up sending garbage.
Closes #10423
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/netrom/af_netrom.c | 6 | ||||
| -rw-r--r-- | net/rose/af_rose.c | 4 | ||||
| -rw-r--r-- | net/x25/af_x25.c | 6 |
3 files changed, 15 insertions, 1 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 6d9c58ec56ac..d1c16bbee932 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c | |||
| @@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 1086 | 1086 | ||
| 1087 | SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); | 1087 | SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); |
| 1088 | 1088 | ||
| 1089 | /* Build a packet */ | 1089 | /* Build a packet - the conventional user limit is 236 bytes. We can |
| 1090 | do ludicrously large NetROM frames but must not overflow */ | ||
| 1091 | if (len > 65536) | ||
| 1092 | return -EMSGSIZE; | ||
| 1093 | |||
| 1090 | SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); | 1094 | SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); |
| 1091 | size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; | 1095 | size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; |
| 1092 | 1096 | ||
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index 650139626581..0f36e8d59b29 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c | |||
| @@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 1124 | 1124 | ||
| 1125 | /* Build a packet */ | 1125 | /* Build a packet */ |
| 1126 | SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); | 1126 | SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); |
| 1127 | /* Sanity check the packet size */ | ||
| 1128 | if (len > 65535) | ||
| 1129 | return -EMSGSIZE; | ||
| 1130 | |||
| 1127 | size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; | 1131 | size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; |
| 1128 | 1132 | ||
| 1129 | if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) | 1133 | if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) |
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 9ca17b1ce52e..ed80af8ca5fb 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c | |||
| @@ -1035,6 +1035,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 1035 | sx25.sx25_addr = x25->dest_addr; | 1035 | sx25.sx25_addr = x25->dest_addr; |
| 1036 | } | 1036 | } |
| 1037 | 1037 | ||
| 1038 | /* Sanity check the packet size */ | ||
| 1039 | if (len > 65535) { | ||
| 1040 | rc = -EMSGSIZE; | ||
| 1041 | goto out; | ||
| 1042 | } | ||
| 1043 | |||
| 1038 | SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); | 1044 | SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); |
| 1039 | 1045 | ||
| 1040 | /* Build a packet */ | 1046 | /* Build a packet */ |