summaryrefslogtreecommitdiffhomepage
path: root/net/rose/rose_in.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/rose/rose_in.c')
-rw-r--r--net/rose/rose_in.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/rose/rose_in.c b/net/rose/rose_in.c
index 3aff3c2d45a9..ca4f217ef3d3 100644
--- a/net/rose/rose_in.c
+++ b/net/rose/rose_in.c
@@ -270,6 +270,13 @@ int rose_process_rx_frame(struct sock *sk, struct sk_buff *skb)
frametype = rose_decode(skb, &ns, &nr, &q, &d, &m);
+ /*
+ * ROSE_CLEAR_REQUEST carries cause and diagnostic in bytes 3..4.
+ * Reject a malformed frame that is too short to contain them.
+ */
+ if (frametype == ROSE_CLEAR_REQUEST && skb->len < 5)
+ return 0;
+
switch (rose->state) {
case ROSE_STATE_1:
queued = rose_state1_machine(sk, skb, frametype);
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.