releases/2.6.28.10/0043-af_rose-x25-Sanity-check-the-maximum-user-frame-siz.patch - pub/scm/linux/kernel/git/warthog9/stable-queue - Git at Google

 From 33d06566b593703a972da232d08b6a12176f1854 Mon Sep 17 00:00:00 2001
 From: Alan Cox <alan@lxorguk.ukuu.org.uk>
 Date: Fri, 27 Mar 2009 00:28:21 -0700
 Subject: af_rose/x25: Sanity check the maximum user frame size

 From: Alan Cox <alan@lxorguk.ukuu.org.uk>

 upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9

 CVE-2009-0795.

 Otherwise we can wrap the sizes and end up sending garbage.

 Closes #10423

 Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 ---
  net/netrom/af_netrom.c |    6 +++++-
  net/rose/af_rose.c     |    4 ++++
  net/x25/af_x25.c       |    6 ++++++
  3 files changed, 15 insertions(+), 1 deletion(-)

 --- a/net/netrom/af_netrom.c
 +++ b/net/netrom/af_netrom.c
 @@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb

  	SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");

 -	/* Build a packet */
 +	/* Build a packet - the conventional user limit is 236 bytes. We can
 +	   do ludicrously large NetROM frames but must not overflow */
 +	if (len > 65536)
 +		return -EMSGSIZE;
 +
  	SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
  	size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;

 --- a/net/rose/af_rose.c
 +++ b/net/rose/af_rose.c
 @@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *io

  	/* Build a packet */
  	SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
 +	/* Sanity check the packet size */
 +	if (len > 65535)
 +		return -EMSGSIZE;
 +
  	size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;

  	if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
 --- a/net/x25/af_x25.c
 +++ b/net/x25/af_x25.c
 @@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc
  		sx25.sx25_addr   = x25->dest_addr;
  	}

 +	/* Sanity check the packet size */
 +	if (len > 65535) {
 +		rc = -EMSGSIZE;
 +		goto out;
 +	}
 +
  	SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");

  	/* Build a packet */
	From 33d06566b593703a972da232d08b6a12176f1854 Mon Sep 17 00:00:00 2001
	From: Alan Cox <alan@lxorguk.ukuu.org.uk>
	Date: Fri, 27 Mar 2009 00:28:21 -0700
	Subject: af_rose/x25: Sanity check the maximum user frame size

	From: Alan Cox <alan@lxorguk.ukuu.org.uk>

	upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9

	CVE-2009-0795.

	Otherwise we can wrap the sizes and end up sending garbage.

	Closes #10423

	Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	---
	net/netrom/af_netrom.c \| 6 +++++-
	net/rose/af_rose.c \| 4 ++++
	net/x25/af_x25.c \| 6 ++++++
	3 files changed, 15 insertions(+), 1 deletion(-)

	--- a/net/netrom/af_netrom.c
	+++ b/net/netrom/af_netrom.c
	@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb

	SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");

	- /* Build a packet */
	+ /* Build a packet - the conventional user limit is 236 bytes. We can
	+ do ludicrously large NetROM frames but must not overflow */
	+ if (len > 65536)
	+ return -EMSGSIZE;
	+
	SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
	size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;

	--- a/net/rose/af_rose.c
	+++ b/net/rose/af_rose.c
	@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *io

	/* Build a packet */
	SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
	+ /* Sanity check the packet size */
	+ if (len > 65535)
	+ return -EMSGSIZE;
	+
	size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;

	if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
	--- a/net/x25/af_x25.c
	+++ b/net/x25/af_x25.c
	@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc
	sx25.sx25_addr = x25->dest_addr;
	}

	+ /* Sanity check the packet size */
	+ if (len > 65535) {
	+ rc = -EMSGSIZE;
	+ goto out;
	+ }
	+
	SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");

	/* Build a packet */