af_rose/x25: Sanity check the maximum user frame size

Otherwise we can wrap the sizes and end up sending garbage. Closes #10423 Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alan Cox <alan@lxorguk.ukuu.org.uk> 2009-03-27 00:28:21 -0700
committer: David S. Miller <davem@davemloft.net> 2009-03-27 00:28:21 -0700
commit: 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 (patch)
tree: de3f516afc1878914855c9393b1e08c698ac378c /net/netrom
parent: 03ba999117eb8688252f9068356b6e028c2c3a56 (diff)
download: linux-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.bz2
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 6d9c58ec56ac..d1c16bbee932 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
 
 	SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
 
-	/* Build a packet */
+	/* Build a packet - the conventional user limit is 236 bytes. We can
+	   do ludicrously large NetROM frames but must not overflow */
+	if (len > 65536)
+		return -EMSGSIZE;
+
 	SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
 	size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
author	Alan Cox <alan@lxorguk.ukuu.org.uk>	2009-03-27 00:28:21 -0700
committer	David S. Miller <davem@davemloft.net>	2009-03-27 00:28:21 -0700
commit	83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 (patch)
tree	de3f516afc1878914855c9393b1e08c698ac378c /net/netrom
parent	03ba999117eb8688252f9068356b6e028c2c3a56 (diff)
download	linux-83e0bbcbe2145f160fbaa109b0439dae7f4a38a9.tar.bz2