diff options
author | Alan Cox <alan@lxorguk.ukuu.org.uk> | 2009-03-27 00:28:21 -0700 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2009-04-27 10:36:57 -0700 |
commit | 33d06566b593703a972da232d08b6a12176f1854 (patch) | |
tree | 3c049820daa136828ab440b99beef9471590755c /net | |
parent | 43a00bbcf5aeaac50d9e8271dbfa0d0fc1d4eb43 (diff) |
af_rose/x25: Sanity check the maximum user frame size
upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
CVE-2009-0795.
Otherwise we can wrap the sizes and end up sending garbage.
Closes #10423
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netrom/af_netrom.c | 6 | ||||
-rw-r--r-- | net/rose/af_rose.c | 4 | ||||
-rw-r--r-- | net/x25/af_x25.c | 6 |
3 files changed, 15 insertions, 1 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index e9c05b8f4f45..2d7fbe7e12db 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock, SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); - /* Build a packet */ + /* Build a packet - the conventional user limit is 236 bytes. We can + do ludicrously large NetROM frames but must not overflow */ + if (len > 65536) + return -EMSGSIZE; + SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index 01392649b462..5e75bbf077db 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c @@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock, /* Build a packet */ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); + /* Sanity check the packet size */ + if (len > 65535) + return -EMSGSIZE; + size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 9fc5b023d111..88d80f55facc 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock, sx25.sx25_addr = x25->dest_addr; } + /* Sanity check the packet size */ + if (len > 65535) { + rc = -EMSGSIZE; + goto out; + } + SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); /* Build a packet */ |