Commit 83e0bbcb authored by Alan Cox's avatar Alan Cox Committed by David S. Miller

af_rose/x25: Sanity check the maximum user frame size

Otherwise we can wrap the sizes and end up sending garbage.

Closes #10423
Signed-off-by: default avatarAlan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 03ba9991
...@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
/* Build a packet */ /* Build a packet - the conventional user limit is 236 bytes. We can
do ludicrously large NetROM frames but must not overflow */
if (len > 65536)
return -EMSGSIZE;
SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
......
...@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
/* Build a packet */ /* Build a packet */
SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
/* Sanity check the packet size */
if (len > 65535)
return -EMSGSIZE;
size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
......
...@@ -1035,6 +1035,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock, ...@@ -1035,6 +1035,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
sx25.sx25_addr = x25->dest_addr; sx25.sx25_addr = x25->dest_addr;
} }
/* Sanity check the packet size */
if (len > 65535) {
rc = -EMSGSIZE;
goto out;
}
SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
/* Build a packet */ /* Build a packet */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment