summaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2011-03-20 07:48:05 +0100
committerDavid S. Miller <davem@davemloft.net>2011-03-28 02:59:04 +0200
commite0bccd315db0c2f919e7fcf9cb60db21d9986f52 (patch)
tree8cf512f43221087f964c0f55c7665e293e96921b /include/net
parentROSE: prevent heap corruption with bad facilities (diff)
downloadlinux-e0bccd315db0c2f919e7fcf9cb60db21d9986f52.tar.xz
linux-e0bccd315db0c2f919e7fcf9cb60db21d9986f52.zip
rose: Add length checks to CALL_REQUEST parsing
Define some constant offsets for CALL_REQUEST based on the description at <http://www.techfest.com/networking/wan/x25plp.htm> and the definition of ROSE as using 10-digit (5-byte) addresses. Use them consistently. Validate all implicit and explicit facilities lengths. Validate the address length byte rather than either trusting or assuming its value. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/rose.h8
1 files changed, 7 insertions, 1 deletions
diff --git a/include/net/rose.h b/include/net/rose.h
index 5ba9f02731eb..555dd198aab7 100644
--- a/include/net/rose.h
+++ b/include/net/rose.h
@@ -14,6 +14,12 @@
#define ROSE_MIN_LEN 3
+#define ROSE_CALL_REQ_ADDR_LEN_OFF 3
+#define ROSE_CALL_REQ_ADDR_LEN_VAL 0xAA /* each address is 10 digits */
+#define ROSE_CALL_REQ_DEST_ADDR_OFF 4
+#define ROSE_CALL_REQ_SRC_ADDR_OFF 9
+#define ROSE_CALL_REQ_FACILITIES_OFF 14
+
#define ROSE_GFI 0x10
#define ROSE_Q_BIT 0x80
#define ROSE_D_BIT 0x40
@@ -214,7 +220,7 @@ extern void rose_requeue_frames(struct sock *);
extern int rose_validate_nr(struct sock *, unsigned short);
extern void rose_write_internal(struct sock *, int);
extern int rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);
-extern int rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);
+extern int rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *);
extern void rose_disconnect(struct sock *, int, int, int);
/* rose_timer.c */