Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 83e0bbcb authored Mar 27, 2009 by Alan Cox Committed by David S. Miller Mar 27, 2009

af_rose/x25: Sanity check the maximum user frame size



Otherwise we can wrap the sizes and end up sending garbage.

Closes #10423

Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 03ba9991

net/netrom/af_netrom.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb iocb, struct socket sock,

		SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");

		/* Build a packet */
		/* Build a packet - the conventional user limit is 236 bytes. We can
		do ludicrously large NetROM frames but must not overflow */
		if (len > 65536)
		return -EMSGSIZE;

		SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
		size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;

net/rose/af_rose.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb iocb, struct socket sock,

		/* Build a packet */
		SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
		/* Sanity check the packet size */
		if (len > 65535)
		return -EMSGSIZE;

		size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;

		if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)

net/x25/af_x25.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1035,6 +1035,12 @@ static int x25_sendmsg(struct kiocb iocb, struct socket sock,
		sx25.sx25_addr = x25->dest_addr;
		}

		/* Sanity check the packet size */
		if (len > 65535) {
		rc = -EMSGSIZE;
		goto out;
		}

		SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");

		/* Build a packet */