diff options
| author | John Hughes <john@calva.com> | 2010-04-08 00:29:25 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-04-08 00:29:25 -0400 |
| commit | f5eb917b861828da18dc28854308068c66d1449a (patch) | |
| tree | aa45d1a809abbe426b55dc89b8167e5a6609d418 /net/x25/x25_in.c | |
| parent | fd218cf9557b9bf7061365a8fe7020a56d3f767c (diff) | |
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
Here is a patch to stop X.25 examining fields beyond the end of the packet.
For example, when a simple CALL ACCEPTED was received:
10 10 0f
x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.
Signed-off-by: John Hughes <john@calva.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/x25/x25_in.c')
| -rw-r--r-- | net/x25/x25_in.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c index 96d922783547..b39072f3a297 100644 --- a/net/x25/x25_in.c +++ b/net/x25/x25_in.c | |||
| @@ -89,6 +89,7 @@ static int x25_queue_rx_frame(struct sock *sk, struct sk_buff *skb, int more) | |||
| 89 | static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype) | 89 | static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype) |
| 90 | { | 90 | { |
| 91 | struct x25_address source_addr, dest_addr; | 91 | struct x25_address source_addr, dest_addr; |
| 92 | int len; | ||
| 92 | 93 | ||
| 93 | switch (frametype) { | 94 | switch (frametype) { |
| 94 | case X25_CALL_ACCEPTED: { | 95 | case X25_CALL_ACCEPTED: { |
| @@ -106,11 +107,17 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp | |||
| 106 | * Parse the data in the frame. | 107 | * Parse the data in the frame. |
| 107 | */ | 108 | */ |
| 108 | skb_pull(skb, X25_STD_MIN_LEN); | 109 | skb_pull(skb, X25_STD_MIN_LEN); |
| 109 | skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr)); | 110 | |
| 110 | skb_pull(skb, | 111 | len = x25_parse_address_block(skb, &source_addr, |
| 111 | x25_parse_facilities(skb, &x25->facilities, | 112 | &dest_addr); |
| 113 | if (len > 0) | ||
| 114 | skb_pull(skb, len); | ||
| 115 | |||
| 116 | len = x25_parse_facilities(skb, &x25->facilities, | ||
| 112 | &x25->dte_facilities, | 117 | &x25->dte_facilities, |
| 113 | &x25->vc_facil_mask)); | 118 | &x25->vc_facil_mask); |
| 119 | if (len > 0) | ||
| 120 | skb_pull(skb, len); | ||
| 114 | /* | 121 | /* |
| 115 | * Copy any Call User Data. | 122 | * Copy any Call User Data. |
| 116 | */ | 123 | */ |