aboutsummaryrefslogtreecommitdiff
path: root/net/netrom/af_netrom.c
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2009-03-27 00:28:21 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2009-05-02 10:24:04 -0700
commite16cf6626bb2160fee3dfda596a2b1469486c585 (patch)
tree4968c033e6396e8e9fedb25093882ba282fe7300 /net/netrom/af_netrom.c
parentcf42ed344ad0d6c0fc12e29b817823af106b4720 (diff)
af_rose/x25: Sanity check the maximum user frame size
upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 CVE-2009-0795. Otherwise we can wrap the sizes and end up sending garbage. Closes #10423 Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net/netrom/af_netrom.c')
-rw-r--r--net/netrom/af_netrom.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 9f1ea4a27b3..24da05040fd 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
- /* Build a packet */
+ /* Build a packet - the conventional user limit is 236 bytes. We can
+ do ludicrously large NetROM frames but must not overflow */
+ if (len > 65536)
+ return -EMSGSIZE;
+
SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;