Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9

Authored by Alan Cox
Committed by David S. Miller
1 parent 03ba999117
Exists in master and in 39 other branches 8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, imx_4.1.15_1.0.0_ga, pitx_8mp_lf-5.10.y, rt-smarc-imx_4.1.15_1.0.0_ga, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-imx_4.1.15_1.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_1.2.0_ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y, smarc_imx_lf-5.15.y

af_rose/x25: Sanity check the maximum user frame size 

Otherwise we can wrap the sizes and end up sending garbage.

Closes #10423

Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 3 changed files with 15 additions and 1 deletions Side-by-side Diff

net/netrom/af_netrom.c
Diff comments   View file @ 83e0bbc
... ... @@ -1086,7 +1086,11 @@
1086 1086  
1087 1087 SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
1088 1088  
1089   - /* Build a packet */
  1089 + /* Build a packet - the conventional user limit is 236 bytes. We can
  1090 + do ludicrously large NetROM frames but must not overflow */
  1091 + if (len > 65536)
  1092 + return -EMSGSIZE;
  1093 +
1090 1094 SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
1091 1095 size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
1092 1096  
... ... @@ -1124,6 +1124,10 @@
1124 1124  
1125 1125 /* Build a packet */
1126 1126 SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
  1127 + /* Sanity check the packet size */
  1128 + if (len > 65535)
  1129 + return -EMSGSIZE;
  1130 +
1127 1131 size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
1128 1132  
1129 1133 if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
... ... @@ -1035,6 +1035,12 @@
1035 1035 sx25.sx25_addr = x25->dest_addr;
1036 1036 }
1037 1037  
  1038 + /* Sanity check the packet size */
  1039 + if (len > 65535) {
  1040 + rc = -EMSGSIZE;
  1041 + goto out;
  1042 + }
  1043 +
1038 1044 SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
1039 1045  
1040 1046 /* Build a packet */