diff options
author | John Hughes <john@calva.com> | 2010-04-07 21:29:25 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-12-09 13:27:09 -0800 |
commit | 7281524c6476cbb85cd5156bde7c12df793bfeb3 (patch) | |
tree | 05c45640c9ece91c499e1a5a0cbd2f3c5f038945 /net/x25/x25_in.c | |
parent | a22280783f150f3e0bd03b4124faa73d45b8af06 (diff) |
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
commit f5eb917b861828da18dc28854308068c66d1449a upstream.
Here is a patch to stop X.25 examining fields beyond the end of the packet.
For example, when a simple CALL ACCEPTED was received:
10 10 0f
x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.
Signed-off-by: John Hughes <john@calva.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net/x25/x25_in.c')
-rw-r--r-- | net/x25/x25_in.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c index 7d7c3abf38b5..56950652434e 100644 --- a/net/x25/x25_in.c +++ b/net/x25/x25_in.c @@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype) { struct x25_address source_addr, dest_addr; + int len; switch (frametype) { case X25_CALL_ACCEPTED: { @@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp * Parse the data in the frame. */ skb_pull(skb, X25_STD_MIN_LEN); - skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr)); - skb_pull(skb, - x25_parse_facilities(skb, &x25->facilities, + + len = x25_parse_address_block(skb, &source_addr, + &dest_addr); + if (len > 0) + skb_pull(skb, len); + + len = x25_parse_facilities(skb, &x25->facilities, &x25->dte_facilities, - &x25->vc_facil_mask)); + &x25->vc_facil_mask); + if (len > 0) + skb_pull(skb, len); /* * Copy any Call User Data. */ |