aboutsummaryrefslogtreecommitdiffstats
path: root/net/rose/rose_loopback.c
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2011-03-20 06:48:05 +0000
committerDavid S. Miller <davem@davemloft.net>2011-03-27 17:59:04 -0700
commite0bccd315db0c2f919e7fcf9cb60db21d9986f52 (patch)
tree8cf512f43221087f964c0f55c7665e293e96921b /net/rose/rose_loopback.c
parentbe20250c13f88375345ad99950190685eda51eb8 (diff)
downloadkernel_samsung_aries-e0bccd315db0c2f919e7fcf9cb60db21d9986f52.zip
kernel_samsung_aries-e0bccd315db0c2f919e7fcf9cb60db21d9986f52.tar.gz
kernel_samsung_aries-e0bccd315db0c2f919e7fcf9cb60db21d9986f52.tar.bz2
rose: Add length checks to CALL_REQUEST parsing
Define some constant offsets for CALL_REQUEST based on the description at <http://www.techfest.com/networking/wan/x25plp.htm> and the definition of ROSE as using 10-digit (5-byte) addresses. Use them consistently. Validate all implicit and explicit facilities lengths. Validate the address length byte rather than either trusting or assuming its value. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rose/rose_loopback.c')
-rw-r--r--net/rose/rose_loopback.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index ae4a9d9..3444562 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -73,9 +73,20 @@ static void rose_loopback_timer(unsigned long param)
unsigned int lci_i, lci_o;
while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
+ if (skb->len < ROSE_MIN_LEN) {
+ kfree_skb(skb);
+ continue;
+ }
lci_i = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
frametype = skb->data[2];
- dest = (rose_address *)(skb->data + 4);
+ if (frametype == ROSE_CALL_REQUEST &&
+ (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
+ skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
+ ROSE_CALL_REQ_ADDR_LEN_VAL)) {
+ kfree_skb(skb);
+ continue;
+ }
+ dest = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
lci_o = ROSE_DEFAULT_MAXVC + 1 - lci_i;
skb_reset_transport_header(skb);