[patch 26/88] af_rose/x25: Sanity check the maximum user frame size

From: Greg KH
Date: Thu Apr 30 2009 - 13:19:26 EST

Next message: Greg KH: "[patch 28/88] kprobes: Fix locking imbalance in kretprobes"
Previous message: Greg KH: "[patch 27/88] net/netrom: Fix socket locking"
In reply to: Greg KH: "[patch 27/88] net/netrom: Fix socket locking"
Next in thread: Greg KH: "[patch 28/88] kprobes: Fix locking imbalance in kretprobes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.28-stable review patch. If anyone has any objections, please let us know.

------------------

From: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>

upstream commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9

CVE-2009-0795.

Otherwise we can wrap the sizes and end up sending garbage.

Closes #10423

Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
net/netrom/af_netrom.c | 6 +++++-
net/rose/af_rose.c | 4 ++++
net/x25/af_x25.c | 6 ++++++
3 files changed, 15 insertions(+), 1 deletion(-)

--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1082,7 +1082,11 @@ static int nr_sendmsg(struct kiocb *iocb

SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");

- /* Build a packet */
+ /* Build a packet - the conventional user limit is 236 bytes. We can
+ do ludicrously large NetROM frames but must not overflow */
+ if (len > 65536)
+ return -EMSGSIZE;
+
SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;

--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1124,6 +1124,10 @@ static int rose_sendmsg(struct kiocb *io

/* Build a packet */
SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
+ /* Sanity check the packet size */
+ if (len > 65535)
+ return -EMSGSIZE;
+
size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;

if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1037,6 +1037,12 @@ static int x25_sendmsg(struct kiocb *ioc
sx25.sx25_addr = x25->dest_addr;
}

+ /* Sanity check the packet size */
+ if (len > 65535) {
+ rc = -EMSGSIZE;
+ goto out;
+ }
+
SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");

/* Build a packet */

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 28/88] kprobes: Fix locking imbalance in kretprobes"
Previous message: Greg KH: "[patch 27/88] net/netrom: Fix socket locking"
In reply to: Greg KH: "[patch 27/88] net/netrom: Fix socket locking"
Next in thread: Greg KH: "[patch 28/88] kprobes: Fix locking imbalance in kretprobes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]