| From 33d06566b593703a972da232d08b6a12176f1854 Mon Sep 17 00:00:00 2001 |
| From: Alan Cox <alan@lxorguk.ukuu.org.uk> |
| Date: Fri, 27 Mar 2009 00:28:21 -0700 |
| Subject: af_rose/x25: Sanity check the maximum user frame size |
| |
| From: Alan Cox <alan@lxorguk.ukuu.org.uk> |
| |
| upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 |
| |
| CVE-2009-0795. |
| |
| Otherwise we can wrap the sizes and end up sending garbage. |
| |
| Closes #10423 |
| |
| Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| --- |
| net/netrom/af_netrom.c | 6 +++++- |
| net/rose/af_rose.c | 4 ++++ |
| net/x25/af_x25.c | 6 ++++++ |
| 3 files changed, 15 insertions(+), 1 deletion(-) |
| |
| --- a/net/netrom/af_netrom.c |
| +++ b/net/netrom/af_netrom.c |
| @@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb |
| |
| SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n"); |
| |
| - /* Build a packet */ |
| + /* Build a packet - the conventional user limit is 236 bytes. We can |
| + do ludicrously large NetROM frames but must not overflow */ |
| + if (len > 65536) |
| + return -EMSGSIZE; |
| + |
| SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n"); |
| size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN; |
| |
| --- a/net/rose/af_rose.c |
| +++ b/net/rose/af_rose.c |
| @@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *io |
| |
| /* Build a packet */ |
| SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n"); |
| + /* Sanity check the packet size */ |
| + if (len > 65535) |
| + return -EMSGSIZE; |
| + |
| size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; |
| |
| if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL) |
| --- a/net/x25/af_x25.c |
| +++ b/net/x25/af_x25.c |
| @@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc |
| sx25.sx25_addr = x25->dest_addr; |
| } |
| |
| + /* Sanity check the packet size */ |
| + if (len > 65535) { |
| + rc = -EMSGSIZE; |
| + goto out; |
| + } |
| + |
| SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n"); |
| |
| /* Build a packet */ |