diff options
author | Joonwoo Park <joonwpark81@gmail.com> | 2008-03-28 16:27:33 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-03-28 16:27:33 -0700 |
commit | 27785d83e4256fedeff45256d4c827fdcb47f2ce (patch) | |
tree | 8b44dd3333aa0235774f0d227de7852f2b1472b2 /net/llc | |
parent | 2ba2506ca7ca62c56edaa334b0fe61eb5eab6ab0 (diff) |
[LLC]: bogus llc packet length
discard llc packet which has bogus packet length.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/llc')
-rw-r--r-- | net/llc/llc_input.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c index c40c9b2a345a..bfd2567dd365 100644 --- a/net/llc/llc_input.c +++ b/net/llc/llc_input.c @@ -117,8 +117,12 @@ static inline int llc_fixup_skb(struct sk_buff *skb) skb_pull(skb, llc_len); if (skb->protocol == htons(ETH_P_802_2)) { __be16 pdulen = eth_hdr(skb)->h_proto; - u16 data_size = ntohs(pdulen) - llc_len; + s32 data_size = ntohs(pdulen) - llc_len; + if (data_size < 0 || + ((skb_tail_pointer(skb) - + (u8 *)pdu) - llc_len) < data_size) + return 0; if (unlikely(pskb_trim_rcsum(skb, data_size))) return 0; } |