From 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 Mon Sep 17 00:00:00 2001
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Date: Fri, 27 Mar 2009 00:28:21 -0700
Subject: af_rose/x25: Sanity check the maximum user frame size

Otherwise we can wrap the sizes and end up sending garbage.

Closes #10423

Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/netrom/af_netrom.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'net/netrom/af_netrom.c')

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 6d9c58ec56a..d1c16bbee93 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1086,7 +1086,11 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
 
 	SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
 
-	/* Build a packet */
+	/* Build a packet - the conventional user limit is 236 bytes. We can
+	   do ludicrously large NetROM frames but must not overflow */
+	if (len > 65536)
+		return -EMSGSIZE;
+
 	SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
 	size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
 
-- 
cgit v1.2.3-70-g09d2


From 80e20f6f360078b4852eac6825883e5aa25564bb Mon Sep 17 00:00:00 2001
From: "David S. Miller" <davem@davemloft.net>
Date: Fri, 27 Mar 2009 17:22:55 -0700
Subject: Revert "netrom: zero length frame filtering in NetRom"

This reverts commit a3ac80a130300573de351083cf4a5b46d233e8bf.

Alan Cox says that zero length writes do have special meaning
and are useful in this protocol.

Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/netrom/af_netrom.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

(limited to 'net/netrom/af_netrom.c')

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index d1c16bbee93..4e705f87969 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1037,10 +1037,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
 	unsigned char *asmptr;
 	int size;
 
-	/* Netrom empty data frame has no meaning : don't send */
-	if (len == 0)
-		return 0;
-
 	if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_CMSG_COMPAT))
 		return -EINVAL;
 
@@ -1175,11 +1171,6 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
 	skb_reset_transport_header(skb);
 	copied     = skb->len;
 
-	/* NetRom empty data frame has no meaning : ignore it */
-	if (copied == 0) {
-		goto out;
-	}
-
 	if (copied > size) {
 		copied = size;
 		msg->msg_flags |= MSG_TRUNC;
@@ -1195,7 +1186,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
 
 	msg->msg_namelen = sizeof(*sax);
 
-out:	skb_free_datagram(sk, skb);
+	skb_free_datagram(sk, skb);
 
 	release_sock(sk);
 	return copied;
-- 
cgit v1.2.3-70-g09d2