summaryrefslogtreecommitdiff
path: root/net/llc
diff options
context:
space:
mode:
authorJoonwoo Park <joonwpark81@gmail.com>2008-03-28 16:27:33 -0700
committerDavid S. Miller <davem@davemloft.net>2008-03-28 16:27:33 -0700
commit27785d83e4256fedeff45256d4c827fdcb47f2ce (patch)
tree8b44dd3333aa0235774f0d227de7852f2b1472b2 /net/llc
parent2ba2506ca7ca62c56edaa334b0fe61eb5eab6ab0 (diff)
[LLC]: bogus llc packet length
discard llc packet which has bogus packet length. Signed-off-by: Joonwoo Park <joonwpark81@gmail.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/llc')
-rw-r--r--net/llc/llc_input.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index c40c9b2a345a..bfd2567dd365 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -117,8 +117,12 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
skb_pull(skb, llc_len);
if (skb->protocol == htons(ETH_P_802_2)) {
__be16 pdulen = eth_hdr(skb)->h_proto;
- u16 data_size = ntohs(pdulen) - llc_len;
+ s32 data_size = ntohs(pdulen) - llc_len;
+ if (data_size < 0 ||
+ ((skb_tail_pointer(skb) -
+ (u8 *)pdu) - llc_len) < data_size)
+ return 0;
if (unlikely(pskb_trim_rcsum(skb, data_size)))
return 0;
}