x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

Here is a patch to stop X.25 examining fields beyond the end of the packet.

For example, when a simple CALL ACCEPTED was received:

	10 10 0f

x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.

Signed-off-by: John Hughes <john@calva.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 11 insertions, 1 deletions

diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index a21f6646eb3a..a2765c6b1f1a 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -35,7 +35,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                 struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
 {
         unsigned char *p = skb->data;
-        unsigned int len = *p++;
+        unsigned int len;
 
         *vc_fac_mask = 0;
 
@@ -50,6 +50,14 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
         memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
         memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
 
+        if (skb->len < 1)
+                return 0;
+
+        len = *p++;
+
+        if (len >= skb->len)
+                return -1;
+
         while (len > 0) {
                 switch (*p & X25_FAC_CLASS_MASK) {
                 case X25_FAC_CLASS_A:
@@ -247,6 +255,8 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
         memcpy(new, ours, sizeof(*new));
 
         len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
+        if (len < 0)
+                return len;
 
         /*
          *      They want reverse charging, we won't accept it.