6 files changed, 486 insertions, 412 deletions
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 4680b1e4c79..5f03e4ea65b 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -91,7 +91,7 @@ int x25_parse_address_block(struct sk_buff *skb,
        int needed;
        int rc;
-        if (skb->len < 1) {
+        if (!pskb_may_pull(skb, 1)) {
                /* packet has no address block */
                rc = 0;
                goto empty;
@@ -100,7 +100,7 @@ int x25_parse_address_block(struct sk_buff *skb,
        len = *skb->data;
        needed = 1 + (len >> 4) + (len & 0x0f);
-        if (skb->len < needed) {
+        if (!pskb_may_pull(skb, needed)) {
                /* packet is too short to hold the addresses it claims
                   to hold */
                rc = -1;
@@ -237,21 +237,21 @@ static int x25_device_event(struct notifier_block *this, unsigned long event,
 #endif
         ) {
                switch (event) {
-                        case NETDEV_UP:
+                case NETDEV_UP:
-                                x25_link_device_up(dev);
+                        x25_link_device_up(dev);
-                                break;
+                        break;
-                        case NETDEV_GOING_DOWN:
+                case NETDEV_GOING_DOWN:
-                                nb = x25_get_neigh(dev);
+                        nb = x25_get_neigh(dev);
-                                if (nb) {
+                        if (nb) {
-                                        x25_terminate_link(nb);
+                                x25_terminate_link(nb);
-                                        x25_neigh_put(nb);
+                                x25_neigh_put(nb);
-                                }
+                        }
-                                break;
+                        break;
-                        case NETDEV_DOWN:
+                case NETDEV_DOWN:
-                                x25_kill_by_device(dev);
+                        x25_kill_by_device(dev);
-                                x25_route_device_down(dev);
+                        x25_route_device_down(dev);
-                                x25_link_device_down(dev);
+                        x25_link_device_down(dev);
-                                break;
+                        break;
                }
        }
@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr,
                         * Found a listening socket, now check the incoming
                         * call user data vs this sockets call user data
                         */
-                        if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) {
+                        if (x25_sk(s)->cudmatchlength > 0 &&
+                                skb->len >= x25_sk(s)->cudmatchlength) {
                                if((memcmp(x25_sk(s)->calluserdata.cuddata,
                                        skb->data,
                                        x25_sk(s)->cudmatchlength)) == 0) {
@@ -951,14 +952,27 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
         *
         *      Facilities length is mandatory in call request packets
         */
-        if (skb->len < 1)
+        if (!pskb_may_pull(skb, 1))
                goto out_clear_request;
        len = skb->data[0] + 1;
-        if (skb->len < len)
+        if (!pskb_may_pull(skb, len))
                goto out_clear_request;
        skb_pull(skb,len);
        /*
+         *      Ensure that the amount of call user data is valid.
+         */
+        if (skb->len > X25_MAX_CUD_LEN)
+                goto out_clear_request;
+        /*
+         *      Get all the call user data so it can be used in
+         *      x25_find_listener and skb_copy_from_linear_data up ahead.
+         */
+        if (!pskb_may_pull(skb, skb->len))
+                goto out_clear_request;
+        /*
         *      Find a listener for the particular address/cud pair.
         */
        sk = x25_find_listener(&source_addr,skb);
@@ -1166,6 +1180,9 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
         *      byte of the user data is the logical value of the Q Bit.
         */
        if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
+                if (!pskb_may_pull(skb, 1))
+                        goto out_kfree_skb;
                qbit = skb->data[0];
                skb_pull(skb, 1);
        }
@@ -1244,7 +1261,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
        struct x25_sock *x25 = x25_sk(sk);
        struct sockaddr_x25 *sx25 = (struct sockaddr_x25 *)msg->msg_name;
        size_t copied;
-        int qbit;
+        int qbit, header_len = x25->neighbour->extended ?
+                X25_EXT_MIN_LEN : X25_STD_MIN_LEN;
        struct sk_buff *skb;
        unsigned char *asmptr;
        int rc = -ENOTCONN;
@@ -1265,6 +1284,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                skb = skb_dequeue(&x25->interrupt_in_queue);
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                        goto out_free_dgram;
                skb_pull(skb, X25_STD_MIN_LEN);
                /*
@@ -1285,10 +1307,12 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                if (!skb)
                        goto out;
+                if (!pskb_may_pull(skb, header_len))
+                        goto out_free_dgram;
                qbit = (skb->data[0] & X25_Q_BIT) == X25_Q_BIT;
-                skb_pull(skb, x25->neighbour->extended ?
+                skb_pull(skb, header_len);
-                                X25_EXT_MIN_LEN : X25_STD_MIN_LEN);
                if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
                        asmptr  = skb_push(skb, 1);
@@ -1336,256 +1360,253 @@ static int x25_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
        int rc;
        switch (cmd) {
-                case TIOCOUTQ: {
+        case TIOCOUTQ: {
-                        int amount;
+                int amount;
-                        amount = sk->sk_sndbuf - sk_wmem_alloc_get(sk);
+                amount = sk->sk_sndbuf - sk_wmem_alloc_get(sk);
-                        if (amount < 0)
+                if (amount < 0)
-                                amount = 0;
+                        amount = 0;
-                        rc = put_user(amount, (unsigned int __user *)argp);
+                rc = put_user(amount, (unsigned int __user *)argp);
-                        break;
+                break;
-                }
+        }
-                case TIOCINQ: {
+        case TIOCINQ: {
-                        struct sk_buff *skb;
+                struct sk_buff *skb;
-                        int amount = 0;
+                int amount = 0;
-                        /*
+                /*
-                         * These two are safe on a single CPU system as
+                 * These two are safe on a single CPU system as
-                         * only user tasks fiddle here
+                 * only user tasks fiddle here
-                         */
+                 */
-                        lock_sock(sk);
+                lock_sock(sk);
-                        if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
+                if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
-                                amount = skb->len;
+                        amount = skb->len;
-                        release_sock(sk);
+                release_sock(sk);
-                        rc = put_user(amount, (unsigned int __user *)argp);
+                rc = put_user(amount, (unsigned int __user *)argp);
-                        break;
+                break;
-                }
+        }
-                case SIOCGSTAMP:
+        case SIOCGSTAMP:
-                        rc = -EINVAL;
+                rc = -EINVAL;
-                        if (sk)
+                if (sk)
-                                rc = sock_get_timestamp(sk,
+                        rc = sock_get_timestamp(sk,
                                                (struct timeval __user *)argp);
+                break;
+        case SIOCGSTAMPNS:
+                rc = -EINVAL;
+                if (sk)
+                        rc = sock_get_timestampns(sk,
+                                        (struct timespec __user *)argp);
+                break;
+        case SIOCGIFADDR:
+        case SIOCSIFADDR:
+        case SIOCGIFDSTADDR:
+        case SIOCSIFDSTADDR:
+        case SIOCGIFBRDADDR:
+        case SIOCSIFBRDADDR:
+        case SIOCGIFNETMASK:
+        case SIOCSIFNETMASK:
+        case SIOCGIFMETRIC:
+        case SIOCSIFMETRIC:
+                rc = -EINVAL;
+                break;
+        case SIOCADDRT:
+        case SIOCDELRT:
+                rc = -EPERM;
+                if (!capable(CAP_NET_ADMIN))
                        break;
-                case SIOCGSTAMPNS:
+                rc = x25_route_ioctl(cmd, argp);
-                        rc = -EINVAL;
+                break;
-                        if (sk)
+        case SIOCX25GSUBSCRIP:
-                                rc = sock_get_timestampns(sk,
+                rc = x25_subscr_ioctl(cmd, argp);
-                                                (struct timespec __user *)argp);
+                break;
-                        break;
+        case SIOCX25SSUBSCRIP:
-                case SIOCGIFADDR:
+                rc = -EPERM;
-                case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN))
-                case SIOCGIFDSTADDR:
-                case SIOCSIFDSTADDR:
-                case SIOCGIFBRDADDR:
-                case SIOCSIFBRDADDR:
-                case SIOCGIFNETMASK:
-                case SIOCSIFNETMASK:
-                case SIOCGIFMETRIC:
-                case SIOCSIFMETRIC:
-                        rc = -EINVAL;
-                        break;
-                case SIOCADDRT:
-                case SIOCDELRT:
-                        rc = -EPERM;
-                        if (!capable(CAP_NET_ADMIN))
-                                break;
-                        rc = x25_route_ioctl(cmd, argp);
-                        break;
-                case SIOCX25GSUBSCRIP:
-                        rc = x25_subscr_ioctl(cmd, argp);
-                        break;
-                case SIOCX25SSUBSCRIP:
-                        rc = -EPERM;
-                        if (!capable(CAP_NET_ADMIN))
-                                break;
-                        rc = x25_subscr_ioctl(cmd, argp);
-                        break;
-                case SIOCX25GFACILITIES: {
-                        lock_sock(sk);
-                        rc = copy_to_user(argp, &x25->facilities,
-                                                sizeof(x25->facilities))
-                                                ? -EFAULT : 0;
-                        release_sock(sk);
                        break;
-                }
+                rc = x25_subscr_ioctl(cmd, argp);
+                break;
+        case SIOCX25GFACILITIES: {
+                lock_sock(sk);
+                rc = copy_to_user(argp, &x25->facilities,
+                                  sizeof(x25->facilities))
+                        ? -EFAULT : 0;
+                release_sock(sk);
+                break;
+        }
-                case SIOCX25SFACILITIES: {
+        case SIOCX25SFACILITIES: {
-                        struct x25_facilities facilities;
+                struct x25_facilities facilities;
-                        rc = -EFAULT;
+                rc = -EFAULT;
-                        if (copy_from_user(&facilities, argp,
+                if (copy_from_user(&facilities, argp, sizeof(facilities)))
-                                           sizeof(facilities)))
+                        break;
-                                break;
+                rc = -EINVAL;
-                        rc = -EINVAL;
+                lock_sock(sk);
-                        lock_sock(sk);
+                if (sk->sk_state != TCP_LISTEN &&
-                        if (sk->sk_state != TCP_LISTEN &&
+                    sk->sk_state != TCP_CLOSE)
-                            sk->sk_state != TCP_CLOSE)
+                        goto out_fac_release;
-                                goto out_fac_release;
+                if (facilities.pacsize_in < X25_PS16 ||
-                        if (facilities.pacsize_in < X25_PS16 ||
+                    facilities.pacsize_in > X25_PS4096)
-                            facilities.pacsize_in > X25_PS4096)
+                        goto out_fac_release;
-                                goto out_fac_release;
+                if (facilities.pacsize_out < X25_PS16 ||
-                        if (facilities.pacsize_out < X25_PS16 ||
+                    facilities.pacsize_out > X25_PS4096)
-                            facilities.pacsize_out > X25_PS4096)
+                        goto out_fac_release;
-                                goto out_fac_release;
+                if (facilities.winsize_in < 1 ||
-                        if (facilities.winsize_in < 1 ||
+                    facilities.winsize_in > 127)
-                            facilities.winsize_in > 127)
+                        goto out_fac_release;
+                if (facilities.throughput) {
+                        int out = facilities.throughput & 0xf0;
+                        int in  = facilities.throughput & 0x0f;
+                        if (!out)
+                                facilities.throughput |=
+                                        X25_DEFAULT_THROUGHPUT << 4;
+                        else if (out < 0x30 || out > 0xD0)
                                goto out_fac_release;
-                        if (facilities.throughput) {
+                        if (!in)
-                                int out = facilities.throughput & 0xf0;
+                                facilities.throughput |=
-                                int in  = facilities.throughput & 0x0f;
+                                        X25_DEFAULT_THROUGHPUT;
-                                if (!out)
+                        else if (in < 0x03 || in > 0x0D)
-                                        facilities.throughput |=
-                                                X25_DEFAULT_THROUGHPUT << 4;
-                                else if (out < 0x30 || out > 0xD0)
-                                        goto out_fac_release;
-                                if (!in)
-                                        facilities.throughput |=
-                                                X25_DEFAULT_THROUGHPUT;
-                                else if (in < 0x03 || in > 0x0D)
-                                        goto out_fac_release;
-                        }
-                        if (facilities.reverse &&
-                                (facilities.reverse & 0x81) != 0x81)
                                goto out_fac_release;
-                        x25->facilities = facilities;
-                        rc = 0;
-out_fac_release:
-                        release_sock(sk);
-                        break;
-                }
-                case SIOCX25GDTEFACILITIES: {
-                        lock_sock(sk);
-                        rc = copy_to_user(argp, &x25->dte_facilities,
-                                                sizeof(x25->dte_facilities));
-                        release_sock(sk);
-                        if (rc)
-                                rc = -EFAULT;
-                        break;
                }
+                if (facilities.reverse &&
+                    (facilities.reverse & 0x81) != 0x81)
+                        goto out_fac_release;
+                x25->facilities = facilities;
+                rc = 0;
+out_fac_release:
+                release_sock(sk);
+                break;
+        }
-                case SIOCX25SDTEFACILITIES: {
+        case SIOCX25GDTEFACILITIES: {
-                        struct x25_dte_facilities dtefacs;
+                lock_sock(sk);
+                rc = copy_to_user(argp, &x25->dte_facilities,
+                                  sizeof(x25->dte_facilities));
+                release_sock(sk);
+                if (rc)
                        rc = -EFAULT;
-                        if (copy_from_user(&dtefacs, argp, sizeof(dtefacs)))
+                break;
-                                break;
+        }
-                        rc = -EINVAL;
-                        lock_sock(sk);
-                        if (sk->sk_state != TCP_LISTEN &&
-                                        sk->sk_state != TCP_CLOSE)
-                                goto out_dtefac_release;
-                        if (dtefacs.calling_len > X25_MAX_AE_LEN)
-                                goto out_dtefac_release;
-                        if (dtefacs.calling_ae == NULL)
-                                goto out_dtefac_release;
-                        if (dtefacs.called_len > X25_MAX_AE_LEN)
-                                goto out_dtefac_release;
-                        if (dtefacs.called_ae == NULL)
-                                goto out_dtefac_release;
-                        x25->dte_facilities = dtefacs;
-                        rc = 0;
-out_dtefac_release:
-                        release_sock(sk);
-                        break;
-                }
-                case SIOCX25GCALLUSERDATA: {
+        case SIOCX25SDTEFACILITIES: {
-                        lock_sock(sk);
+                struct x25_dte_facilities dtefacs;
-                        rc = copy_to_user(argp, &x25->calluserdata,
+                rc = -EFAULT;
-                                        sizeof(x25->calluserdata))
+                if (copy_from_user(&dtefacs, argp, sizeof(dtefacs)))
-                                        ? -EFAULT : 0;
-                        release_sock(sk);
                        break;
-                }
+                rc = -EINVAL;
+                lock_sock(sk);
+                if (sk->sk_state != TCP_LISTEN &&
+                    sk->sk_state != TCP_CLOSE)
+                        goto out_dtefac_release;
+                if (dtefacs.calling_len > X25_MAX_AE_LEN)
+                        goto out_dtefac_release;
+                if (dtefacs.calling_ae == NULL)
+                        goto out_dtefac_release;
+                if (dtefacs.called_len > X25_MAX_AE_LEN)
+                        goto out_dtefac_release;
+                if (dtefacs.called_ae == NULL)
+                        goto out_dtefac_release;
+                x25->dte_facilities = dtefacs;
+                rc = 0;
+out_dtefac_release:
+                release_sock(sk);
+                break;
+        }
-                case SIOCX25SCALLUSERDATA: {
+        case SIOCX25GCALLUSERDATA: {
-                        struct x25_calluserdata calluserdata;
+                lock_sock(sk);
+                rc = copy_to_user(argp, &x25->calluserdata,
+                                  sizeof(x25->calluserdata))
+                        ? -EFAULT : 0;
+                release_sock(sk);
+                break;
+        }
-                        rc = -EFAULT;
+        case SIOCX25SCALLUSERDATA: {
-                        if (copy_from_user(&calluserdata, argp,
+                struct x25_calluserdata calluserdata;
-                                           sizeof(calluserdata)))
-                                break;
-                        rc = -EINVAL;
-                        if (calluserdata.cudlength > X25_MAX_CUD_LEN)
-                                break;
-                        lock_sock(sk);
-                        x25->calluserdata = calluserdata;
-                        release_sock(sk);
-                        rc = 0;
-                        break;
-                }
-                case SIOCX25GCAUSEDIAG: {
+                rc = -EFAULT;
-                        lock_sock(sk);
+                if (copy_from_user(&calluserdata, argp, sizeof(calluserdata)))
-                        rc = copy_to_user(argp, &x25->causediag,
-                                        sizeof(x25->causediag))
-                                        ? -EFAULT : 0;
-                        release_sock(sk);
                        break;
-                }
+                rc = -EINVAL;
+                if (calluserdata.cudlength > X25_MAX_CUD_LEN)
+                        break;
+                lock_sock(sk);
+                x25->calluserdata = calluserdata;
+                release_sock(sk);
+                rc = 0;
+                break;
+        }
-                case SIOCX25SCAUSEDIAG: {
+        case SIOCX25GCAUSEDIAG: {
-                        struct x25_causediag causediag;
+                lock_sock(sk);
-                        rc = -EFAULT;
+                rc = copy_to_user(argp, &x25->causediag, sizeof(x25->causediag))
-                        if (copy_from_user(&causediag, argp, sizeof(causediag)))
+                        ? -EFAULT : 0;
-                                break;
+                release_sock(sk);
-                        lock_sock(sk);
+                break;
-                        x25->causediag = causediag;
+        }
-                        release_sock(sk);
-                        rc = 0;
+        case SIOCX25SCAUSEDIAG: {
+                struct x25_causediag causediag;
+                rc = -EFAULT;
+                if (copy_from_user(&causediag, argp, sizeof(causediag)))
                        break;
+                lock_sock(sk);
+                x25->causediag = causediag;
+                release_sock(sk);
+                rc = 0;
+                break;
-                }
+        }
-                case SIOCX25SCUDMATCHLEN: {
+        case SIOCX25SCUDMATCHLEN: {
-                        struct x25_subaddr sub_addr;
+                struct x25_subaddr sub_addr;
-                        rc = -EINVAL;
+                rc = -EINVAL;
-                        lock_sock(sk);
+                lock_sock(sk);
-                        if(sk->sk_state != TCP_CLOSE)
+                if(sk->sk_state != TCP_CLOSE)
-                                goto out_cud_release;
+                        goto out_cud_release;
-                        rc = -EFAULT;
+                rc = -EFAULT;
-                        if (copy_from_user(&sub_addr, argp,
+                if (copy_from_user(&sub_addr, argp,
-                                        sizeof(sub_addr)))
+                                   sizeof(sub_addr)))
-                                goto out_cud_release;
+                        goto out_cud_release;
-                        rc = -EINVAL;
+                rc = -EINVAL;
-                        if(sub_addr.cudmatchlength > X25_MAX_CUD_LEN)
+                if (sub_addr.cudmatchlength > X25_MAX_CUD_LEN)
-                                goto out_cud_release;
+                        goto out_cud_release;
-                        x25->cudmatchlength = sub_addr.cudmatchlength;
+                x25->cudmatchlength = sub_addr.cudmatchlength;
-                        rc = 0;
+                rc = 0;
 out_cud_release:
-                        release_sock(sk);
+                release_sock(sk);
-                        break;
+                break;
-                }
+        }
-                case SIOCX25CALLACCPTAPPRV: {
+        case SIOCX25CALLACCPTAPPRV: {
-                        rc = -EINVAL;
+                rc = -EINVAL;
-                        lock_sock(sk);
+                lock_sock(sk);
-                        if (sk->sk_state != TCP_CLOSE)
+                if (sk->sk_state != TCP_CLOSE)
-                                break;
-                        clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
-                        release_sock(sk);
-                        rc = 0;
                        break;
-                }
+                clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
+                release_sock(sk);
+                rc = 0;
+                break;
+        }
-                case SIOCX25SENDCALLACCPT:  {
+        case SIOCX25SENDCALLACCPT:  {
-                        rc = -EINVAL;
+                rc = -EINVAL;
-                        lock_sock(sk);
+                lock_sock(sk);
-                        if (sk->sk_state != TCP_ESTABLISHED)
+                if (sk->sk_state != TCP_ESTABLISHED)
-                                break;
-                        /* must call accptapprv above */
-                        if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
-                                break;
-                        x25_write_internal(sk, X25_CALL_ACCEPTED);
-                        x25->state = X25_STATE_3;
-                        release_sock(sk);
-                        rc = 0;
                        break;
-                }
+                /* must call accptapprv above */
+                if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
-                default:
-                        rc = -ENOIOCTLCMD;
                        break;
+                x25_write_internal(sk, X25_CALL_ACCEPTED);
+                x25->state = X25_STATE_3;
+                release_sock(sk);
+                rc = 0;
+                break;
+        }
+        default:
+                rc = -ENOIOCTLCMD;
+                break;
        }
        return rc;
diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
index 9005f6daeab..fa2b41888bd 100644
--- a/net/x25/x25_dev.c
+++ b/net/x25/x25_dev.c
@@ -32,6 +32,9 @@ static int x25_receive_data(struct sk_buff *skb, struct x25_neigh *nb)
        unsigned short frametype;
        unsigned int lci;
+        if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                return 0;
        frametype = skb->data[2];
        lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
@@ -115,6 +118,9 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
                goto drop;
        }
+        if (!pskb_may_pull(skb, 1))
+                return 0;
        switch (skb->data[0]) {
        case X25_IFACE_DATA:
@@ -146,21 +152,21 @@ void x25_establish_link(struct x25_neigh *nb)
        unsigned char *ptr;
        switch (nb->dev->type) {
-                case ARPHRD_X25:
+        case ARPHRD_X25:
-                        if ((skb = alloc_skb(1, GFP_ATOMIC)) == NULL) {
+                if ((skb = alloc_skb(1, GFP_ATOMIC)) == NULL) {
-                                printk(KERN_ERR "x25_dev: out of memory\n");
+                        printk(KERN_ERR "x25_dev: out of memory\n");
-                                return;
+                        return;
-                        }
+                }
-                        ptr  = skb_put(skb, 1);
+                ptr  = skb_put(skb, 1);
-                        *ptr = X25_IFACE_CONNECT;
+                *ptr = X25_IFACE_CONNECT;
-                        break;
+                break;
 #if defined(CONFIG_LLC) || defined(CONFIG_LLC_MODULE)
-                case ARPHRD_ETHER:
+        case ARPHRD_ETHER:
-                        return;
+                return;
 #endif
-                default:
+        default:
-                        return;
+                return;
        }
        skb->protocol = htons(ETH_P_X25);
@@ -202,19 +208,19 @@ void x25_send_frame(struct sk_buff *skb, struct x25_neigh *nb)
        skb_reset_network_header(skb);
        switch (nb->dev->type) {
-                case ARPHRD_X25:
+        case ARPHRD_X25:
-                        dptr  = skb_push(skb, 1);
+                dptr  = skb_push(skb, 1);
-                        *dptr = X25_IFACE_DATA;
+                *dptr = X25_IFACE_DATA;
-                        break;
+                break;
 #if defined(CONFIG_LLC) || defined(CONFIG_LLC_MODULE)
-                case ARPHRD_ETHER:
+        case ARPHRD_ETHER:
-                        kfree_skb(skb);
+                kfree_skb(skb);
-                        return;
+                return;
 #endif
-                default:
+        default:
-                        kfree_skb(skb);
+                kfree_skb(skb);
-                        return;
+                return;
        }
        skb->protocol = htons(ETH_P_X25);
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index f77e4e75f91..36384a1fa9f 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -44,7 +44,7 @@
 int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
 {
-        unsigned char *p = skb->data;
+        unsigned char *p;
        unsigned int len;
        *vc_fac_mask = 0;
@@ -60,14 +60,16 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
        memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
        memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
-        if (skb->len < 1)
+        if (!pskb_may_pull(skb, 1))
                return 0;
-        len = *p++;
+        len = skb->data[0];
-        if (len >= skb->len)
+        if (!pskb_may_pull(skb, 1 + len))
                return -1;
+        p = skb->data + 1;
        while (len > 0) {
                switch (*p & X25_FAC_CLASS_MASK) {
                case X25_FAC_CLASS_A:
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 15de65f0471..a49cd4ec551 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -94,55 +94,62 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        struct x25_sock *x25 = x25_sk(sk);
        switch (frametype) {
-                case X25_CALL_ACCEPTED: {
+        case X25_CALL_ACCEPTED: {
-                        x25_stop_timer(sk);
+                x25_stop_timer(sk);
-                        x25->condition = 0x00;
+                x25->condition = 0x00;
-                        x25->vs        = 0;
+                x25->vs        = 0;
-                        x25->va        = 0;
+                x25->va        = 0;
-                        x25->vr        = 0;
+                x25->vr        = 0;
-                        x25->vl        = 0;
+                x25->vl        = 0;
-                        x25->state     = X25_STATE_3;
+                x25->state     = X25_STATE_3;
-                        sk->sk_state   = TCP_ESTABLISHED;
+                sk->sk_state   = TCP_ESTABLISHED;
-                        /*
+                /*
-                         *      Parse the data in the frame.
+                 *      Parse the data in the frame.
-                         */
+                 */
-                        skb_pull(skb, X25_STD_MIN_LEN);
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                        goto out_clear;
-                        len = x25_parse_address_block(skb, &source_addr,
+                skb_pull(skb, X25_STD_MIN_LEN);
-                                                &dest_addr);
-                        if (len > 0)
+                len = x25_parse_address_block(skb, &source_addr,
-                                skb_pull(skb, len);
+                                              &dest_addr);
-                        else if (len < 0)
+                if (len > 0)
+                        skb_pull(skb, len);
+                else if (len < 0)
+                        goto out_clear;
+                len = x25_parse_facilities(skb, &x25->facilities,
+                                           &x25->dte_facilities,
+                                           &x25->vc_facil_mask);
+                if (len > 0)
+                        skb_pull(skb, len);
+                else if (len < 0)
+                        goto out_clear;
+                /*
+                 *      Copy any Call User Data.
+                 */
+                if (skb->len > 0) {
+                        if (skb->len > X25_MAX_CUD_LEN)
                                goto out_clear;
-                        len = x25_parse_facilities(skb, &x25->facilities,
+                        skb_copy_bits(skb, 0, x25->calluserdata.cuddata,
-                                                &x25->dte_facilities,
+                                skb->len);
-                                                &x25->vc_facil_mask);
+                        x25->calluserdata.cudlength = skb->len;
-                        if (len > 0)
-                                skb_pull(skb, len);
-                        else if (len < 0)
-                                goto out_clear;
-                        /*
-                         *      Copy any Call User Data.
-                         */
-                        if (skb->len > 0) {
-                                skb_copy_from_linear_data(skb,
-                                              x25->calluserdata.cuddata,
-                                              skb->len);
-                                x25->calluserdata.cudlength = skb->len;
-                        }
-                        if (!sock_flag(sk, SOCK_DEAD))
-                                sk->sk_state_change(sk);
-                        break;
                }
-                case X25_CLEAR_REQUEST:
+                if (!sock_flag(sk, SOCK_DEAD))
-                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
+                        sk->sk_state_change(sk);
-                        x25_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
+                break;
-                        break;
+        }
+        case X25_CLEAR_REQUEST:
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                        goto out_clear;
-                default:
+                x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
-                        break;
+                x25_disconnect(sk, ECONNREFUSED, skb->data[3], skb->data[4]);
+                break;
+        default:
+                break;
        }
        return 0;
@@ -164,6 +171,9 @@ static int x25_state2_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        switch (frametype) {
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -177,6 +187,11 @@ static int x25_state2_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return 0;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25_start_t23timer(sk);
+        return 0;
 }
 /*
@@ -206,6 +221,9 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        break;
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -304,6 +322,12 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return queued;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25->state = X25_STATE_2;
+        x25_start_t23timer(sk);
+        return 0;
 }
 /*
@@ -313,13 +337,13 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
 */
 static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametype)
 {
+        struct x25_sock *x25 = x25_sk(sk);
        switch (frametype) {
                case X25_RESET_REQUEST:
                        x25_write_internal(sk, X25_RESET_CONFIRMATION);
                case X25_RESET_CONFIRMATION: {
-                        struct x25_sock *x25 = x25_sk(sk);
                        x25_stop_timer(sk);
                        x25->condition = 0x00;
                        x25->va        = 0;
@@ -331,6 +355,9 @@ static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        break;
                }
                case X25_CLEAR_REQUEST:
+                        if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 2))
+                                goto out_clear;
                        x25_write_internal(sk, X25_CLEAR_CONFIRMATION);
                        x25_disconnect(sk, 0, skb->data[3], skb->data[4]);
                        break;
@@ -340,6 +367,12 @@ static int x25_state4_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return 0;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25->state = X25_STATE_2;
+        x25_start_t23timer(sk);
+        return 0;
 }
 /* Higher level upcall for a LAPB frame */
@@ -354,18 +387,18 @@ int x25_process_rx_frame(struct sock *sk, struct sk_buff *skb)
        frametype = x25_decode(sk, skb, &ns, &nr, &q, &d, &m);
        switch (x25->state) {
-                case X25_STATE_1:
+        case X25_STATE_1:
-                        queued = x25_state1_machine(sk, skb, frametype);
+                queued = x25_state1_machine(sk, skb, frametype);
-                        break;
+                break;
-                case X25_STATE_2:
+        case X25_STATE_2:
-                        queued = x25_state2_machine(sk, skb, frametype);
+                queued = x25_state2_machine(sk, skb, frametype);
-                        break;
+                break;
-                case X25_STATE_3:
+        case X25_STATE_3:
-                        queued = x25_state3_machine(sk, skb, frametype, ns, nr, q, d, m);
+                queued = x25_state3_machine(sk, skb, frametype, ns, nr, q, d, m);
-                        break;
+                break;
-                case X25_STATE_4:
+        case X25_STATE_4:
-                        queued = x25_state4_machine(sk, skb, frametype);
+                queued = x25_state4_machine(sk, skb, frametype);
-                        break;
+                break;
        }
        x25_kick(sk);
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 21306928d47..4acacf3c661 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -76,30 +76,32 @@ void x25_link_control(struct sk_buff *skb, struct x25_neigh *nb,
        int confirm;
        switch (frametype) {
-                case X25_RESTART_REQUEST:
+        case X25_RESTART_REQUEST:
-                        confirm = !x25_t20timer_pending(nb);
+                confirm = !x25_t20timer_pending(nb);
-                        x25_stop_t20timer(nb);
+                x25_stop_t20timer(nb);
-                        nb->state = X25_LINK_STATE_3;
+                nb->state = X25_LINK_STATE_3;
-                        if (confirm)
+                if (confirm)
-                                x25_transmit_restart_confirmation(nb);
+                        x25_transmit_restart_confirmation(nb);
+                break;
+        case X25_RESTART_CONFIRMATION:
+                x25_stop_t20timer(nb);
+                nb->state = X25_LINK_STATE_3;
+                break;
+        case X25_DIAGNOSTIC:
+                if (!pskb_may_pull(skb, X25_STD_MIN_LEN + 4))
                        break;
-                case X25_RESTART_CONFIRMATION:
+                printk(KERN_WARNING "x25: diagnostic #%d - %02X %02X %02X\n",
-                        x25_stop_t20timer(nb);
+                       skb->data[3], skb->data[4],
-                        nb->state = X25_LINK_STATE_3;
+                       skb->data[5], skb->data[6]);
-                        break;
+                break;
-                case X25_DIAGNOSTIC:
-                        printk(KERN_WARNING "x25: diagnostic #%d - "
-                               "%02X %02X %02X\n",
-                               skb->data[3], skb->data[4],
-                               skb->data[5], skb->data[6]);
-                        break;
-                default:
+        default:
-                        printk(KERN_WARNING "x25: received unknown %02X "
+                printk(KERN_WARNING "x25: received unknown %02X with LCI 000\n",
-                               "with LCI 000\n", frametype);
+                       frametype);
-                        break;
+                break;
        }
        if (nb->state == X25_LINK_STATE_3)
@@ -193,18 +195,18 @@ void x25_transmit_clear_request(struct x25_neigh *nb, unsigned int lci,
 void x25_transmit_link(struct sk_buff *skb, struct x25_neigh *nb)
 {
        switch (nb->state) {
-                case X25_LINK_STATE_0:
+        case X25_LINK_STATE_0:
-                        skb_queue_tail(&nb->queue, skb);
+                skb_queue_tail(&nb->queue, skb);
-                        nb->state = X25_LINK_STATE_1;
+                nb->state = X25_LINK_STATE_1;
-                        x25_establish_link(nb);
+                x25_establish_link(nb);
-                        break;
+                break;
-                case X25_LINK_STATE_1:
+        case X25_LINK_STATE_1:
-                case X25_LINK_STATE_2:
+        case X25_LINK_STATE_2:
-                        skb_queue_tail(&nb->queue, skb);
+                skb_queue_tail(&nb->queue, skb);
-                        break;
+                break;
-                case X25_LINK_STATE_3:
+        case X25_LINK_STATE_3:
-                        x25_send_frame(skb, nb);
+                x25_send_frame(skb, nb);
-                        break;
+                break;
        }
 }
@@ -214,14 +216,14 @@ void x25_transmit_link(struct sk_buff *skb, struct x25_neigh *nb)
 void x25_link_established(struct x25_neigh *nb)
 {
        switch (nb->state) {
-                case X25_LINK_STATE_0:
+        case X25_LINK_STATE_0:
-                        nb->state = X25_LINK_STATE_2;
+                nb->state = X25_LINK_STATE_2;
-                        break;
+                break;
-                case X25_LINK_STATE_1:
+        case X25_LINK_STATE_1:
-                        x25_transmit_restart_request(nb);
+                x25_transmit_restart_request(nb);
-                        nb->state = X25_LINK_STATE_2;
+                nb->state = X25_LINK_STATE_2;
-                        x25_start_t20timer(nb);
+                x25_start_t20timer(nb);
-                        break;
+                break;
        }
 }
diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c
index dc20cf12f39..5170d52bfd9 100644
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@@ -126,32 +126,30 @@ void x25_write_internal(struct sock *sk, int frametype)
         *      Adjust frame size.
         */
        switch (frametype) {
-                case X25_CALL_REQUEST:
+        case X25_CALL_REQUEST:
-                        len += 1 + X25_ADDR_LEN + X25_MAX_FAC_LEN +
+                len += 1 + X25_ADDR_LEN + X25_MAX_FAC_LEN + X25_MAX_CUD_LEN;
-                               X25_MAX_CUD_LEN;
+                break;
-                        break;
+        case X25_CALL_ACCEPTED: /* fast sel with no restr on resp */
-                case X25_CALL_ACCEPTED: /* fast sel with no restr on resp */
+                if (x25->facilities.reverse & 0x80) {
-                        if(x25->facilities.reverse & 0x80) {
+                        len += 1 + X25_MAX_FAC_LEN + X25_MAX_CUD_LEN;
-                                len += 1 + X25_MAX_FAC_LEN + X25_MAX_CUD_LEN;
+                } else {
-                        } else {
+                        len += 1 + X25_MAX_FAC_LEN;
-                                len += 1 + X25_MAX_FAC_LEN;
+                }
-                        }
+                break;
-                        break;
+        case X25_CLEAR_REQUEST:
-                case X25_CLEAR_REQUEST:
+        case X25_RESET_REQUEST:
-                case X25_RESET_REQUEST:
+                len += 2;
-                        len += 2;
+                break;
-                        break;
+        case X25_RR:
-                case X25_RR:
+        case X25_RNR:
-                case X25_RNR:
+        case X25_REJ:
-                case X25_REJ:
+        case X25_CLEAR_CONFIRMATION:
-                case X25_CLEAR_CONFIRMATION:
+        case X25_INTERRUPT_CONFIRMATION:
-                case X25_INTERRUPT_CONFIRMATION:
+        case X25_RESET_CONFIRMATION:
-                case X25_RESET_CONFIRMATION:
+                break;
-                        break;
+        default:
-                default:
+                printk(KERN_ERR "X.25: invalid frame type %02X\n", frametype);
-                        printk(KERN_ERR "X.25: invalid frame type %02X\n",
+                return;
-                               frametype);
-                        return;
        }
        if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
@@ -271,31 +269,39 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
               int *d, int *m)
 {
        struct x25_sock *x25 = x25_sk(sk);
-        unsigned char *frame = skb->data;
+        unsigned char *frame;
+        if (!pskb_may_pull(skb, X25_STD_MIN_LEN))
+                return X25_ILLEGAL;
+        frame = skb->data;
        *ns = *nr = *q = *d = *m = 0;
        switch (frame[2]) {
-                case X25_CALL_REQUEST:
+        case X25_CALL_REQUEST:
-                case X25_CALL_ACCEPTED:
+        case X25_CALL_ACCEPTED:
-                case X25_CLEAR_REQUEST:
+        case X25_CLEAR_REQUEST:
-                case X25_CLEAR_CONFIRMATION:
+        case X25_CLEAR_CONFIRMATION:
-                case X25_INTERRUPT:
+        case X25_INTERRUPT:
-                case X25_INTERRUPT_CONFIRMATION:
+        case X25_INTERRUPT_CONFIRMATION:
-                case X25_RESET_REQUEST:
+        case X25_RESET_REQUEST:
-                case X25_RESET_CONFIRMATION:
+        case X25_RESET_CONFIRMATION:
-                case X25_RESTART_REQUEST:
+        case X25_RESTART_REQUEST:
-                case X25_RESTART_CONFIRMATION:
+        case X25_RESTART_CONFIRMATION:
-                case X25_REGISTRATION_REQUEST:
+        case X25_REGISTRATION_REQUEST:
-                case X25_REGISTRATION_CONFIRMATION:
+        case X25_REGISTRATION_CONFIRMATION:
-                case X25_DIAGNOSTIC:
+        case X25_DIAGNOSTIC:
-                        return frame[2];
+                return frame[2];
        }
        if (x25->neighbour->extended) {
                if (frame[2] == X25_RR  ||
                    frame[2] == X25_RNR ||
                    frame[2] == X25_REJ) {
+                        if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
+                                return X25_ILLEGAL;
+                        frame = skb->data;
                        *nr = (frame[3] >> 1) & 0x7F;
                        return frame[2];
                }
@@ -310,6 +316,10 @@ int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
        if (x25->neighbour->extended) {
                if ((frame[2] & 0x01) == X25_DATA) {
+                        if (!pskb_may_pull(skb, X25_EXT_MIN_LEN))
+                                return X25_ILLEGAL;
+                        frame = skb->data;
                        *q  = (frame[0] & X25_Q_BIT) == X25_Q_BIT;
                        *d  = (frame[0] & X25_D_BIT) == X25_D_BIT;
                        *m  = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT;