diff options
Diffstat (limited to 'net/x25/x25_facilities.c')
| -rw-r--r-- | net/x25/x25_facilities.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 771bab00754b..55187c8f6420 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c | |||
| @@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, | |||
| 61 | while (len > 0) { | 61 | while (len > 0) { |
| 62 | switch (*p & X25_FAC_CLASS_MASK) { | 62 | switch (*p & X25_FAC_CLASS_MASK) { |
| 63 | case X25_FAC_CLASS_A: | 63 | case X25_FAC_CLASS_A: |
| 64 | if (len < 2) | ||
| 65 | return 0; | ||
| 64 | switch (*p) { | 66 | switch (*p) { |
| 65 | case X25_FAC_REVERSE: | 67 | case X25_FAC_REVERSE: |
| 66 | if((p[1] & 0x81) == 0x81) { | 68 | if((p[1] & 0x81) == 0x81) { |
| @@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, | |||
| 104 | len -= 2; | 106 | len -= 2; |
| 105 | break; | 107 | break; |
| 106 | case X25_FAC_CLASS_B: | 108 | case X25_FAC_CLASS_B: |
| 109 | if (len < 3) | ||
| 110 | return 0; | ||
| 107 | switch (*p) { | 111 | switch (*p) { |
| 108 | case X25_FAC_PACKET_SIZE: | 112 | case X25_FAC_PACKET_SIZE: |
| 109 | facilities->pacsize_in = p[1]; | 113 | facilities->pacsize_in = p[1]; |
| @@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, | |||
| 125 | len -= 3; | 129 | len -= 3; |
| 126 | break; | 130 | break; |
| 127 | case X25_FAC_CLASS_C: | 131 | case X25_FAC_CLASS_C: |
| 132 | if (len < 4) | ||
| 133 | return 0; | ||
| 128 | printk(KERN_DEBUG "X.25: unknown facility %02X, " | 134 | printk(KERN_DEBUG "X.25: unknown facility %02X, " |
| 129 | "values %02X, %02X, %02X\n", | 135 | "values %02X, %02X, %02X\n", |
| 130 | p[0], p[1], p[2], p[3]); | 136 | p[0], p[1], p[2], p[3]); |
| @@ -132,26 +138,26 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities, | |||
| 132 | len -= 4; | 138 | len -= 4; |
| 133 | break; | 139 | break; |
| 134 | case X25_FAC_CLASS_D: | 140 | case X25_FAC_CLASS_D: |
| 141 | if (len < p[1] + 2) | ||
| 142 | return 0; | ||
| 135 | switch (*p) { | 143 | switch (*p) { |
| 136 | case X25_FAC_CALLING_AE: | 144 | case X25_FAC_CALLING_AE: |
| 137 | if (p[1] > X25_MAX_DTE_FACIL_LEN) | 145 | if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) |
| 138 | break; | 146 | return 0; |
| 139 | dte_facs->calling_len = p[2]; | 147 | dte_facs->calling_len = p[2]; |
| 140 | memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); | 148 | memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); |
| 141 | *vc_fac_mask |= X25_MASK_CALLING_AE; | 149 | *vc_fac_mask |= X25_MASK_CALLING_AE; |
| 142 | break; | 150 | break; |
| 143 | case X25_FAC_CALLED_AE: | 151 | case X25_FAC_CALLED_AE: |
| 144 | if (p[1] > X25_MAX_DTE_FACIL_LEN) | 152 | if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) |
| 145 | break; | 153 | return 0; |
| 146 | dte_facs->called_len = p[2]; | 154 | dte_facs->called_len = p[2]; |
| 147 | memcpy(dte_facs->called_ae, &p[3], p[1] - 1); | 155 | memcpy(dte_facs->called_ae, &p[3], p[1] - 1); |
| 148 | *vc_fac_mask |= X25_MASK_CALLED_AE; | 156 | *vc_fac_mask |= X25_MASK_CALLED_AE; |
| 149 | break; | 157 | break; |
| 150 | default: | 158 | default: |
| 151 | printk(KERN_DEBUG "X.25: unknown facility %02X," | 159 | printk(KERN_DEBUG "X.25: unknown facility %02X," |
| 152 | "length %d, values %02X, %02X, " | 160 | "length %d\n", p[0], p[1]); |
| 153 | "%02X, %02X\n", | ||
| 154 | p[0], p[1], p[2], p[3], p[4], p[5]); | ||
| 155 | break; | 161 | break; |
| 156 | } | 162 | } |
| 157 | len -= p[1] + 2; | 163 | len -= p[1] + 2; |