rose: Add length checks to CALL_REQUEST parsing

Define some constant offsets for CALL_REQUEST based on the description
at <http://www.techfest.com/networking/wan/x25plp.htm> and the
definition of ROSE as using 10-digit (5-byte) addresses.  Use them
consistently.  Validate all implicit and explicit facilities lengths.
Validate the address length byte rather than either trusting or
assuming its value.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 12 insertions, 1 deletions

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index ae4a9d99aec7..344456206b70 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -73,9 +73,20 @@ static void rose_loopback_timer(unsigned long param)
         unsigned int lci_i, lci_o;
 
         while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
+                if (skb->len < ROSE_MIN_LEN) {
+                        kfree_skb(skb);
+                        continue;
+                }
                 lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
                 frametype = skb->data[2];
-                dest      = (rose_address *)(skb->data + 4);
+                if (frametype == ROSE_CALL_REQUEST &&
+                    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
+                     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
+                     ROSE_CALL_REQ_ADDR_LEN_VAL)) {
+                        kfree_skb(skb);
+                        continue;
+                }
+                dest      = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
                 lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;
 
                 skb_reset_transport_header(skb);