memory corruption in X.25 facilities parsing

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: andrew hendry <andrew.hendry@gmail.com> 2010-11-03 08:54:53 -0400
committer: David S. Miller <davem@davemloft.net> 2010-11-03 21:50:50 -0400
commit: a6331d6f9a4298173b413cf99a40cc86a9d92c37 (patch)
tree: b665efee7dae4472e0f4521bbdd3aef626813ba6 /net/x25
parent: 41bb78b4b9adb21cf2c395b6b880aaae99c788b7 (diff)
2 files changed, 6 insertions, 4 deletions
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 771bab00754b..3a8c4c419cd4 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                case X25_FAC_CLASS_D:
                        switch (*p) {
                        case X25_FAC_CALLING_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        break;
+                                        return 0;
                                dte_facs->calling_len = p[2];
                                memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLING_AE;
                                break;
                        case X25_FAC_CALLED_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        break;
+                                        return 0;
                                dte_facs->called_len = p[2];
                                memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLED_AE;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 63178961efac..f729f022be69 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                                                &x25->vc_facil_mask);
                        if (len > 0)
                                skb_pull(skb, len);
+                        else
+                                return -1;
                        /*
                         *      Copy any Call User Data.
                         */
author	andrew hendry <andrew.hendry@gmail.com>	2010-11-03 08:54:53 -0400
committer	David S. Miller <davem@davemloft.net>	2010-11-03 21:50:50 -0400
commit	a6331d6f9a4298173b413cf99a40cc86a9d92c37 (patch)
tree	b665efee7dae4472e0f4521bbdd3aef626813ba6 /net/x25
parent	41bb78b4b9adb21cf2c395b6b880aaae99c788b7 (diff)