[LLC]: bogus llc packet length
authorJoonwoo Park <joonwpark81@gmail.com>
Fri, 28 Mar 2008 23:27:33 +0000 (16:27 -0700)
committerDavid S. Miller <davem@davemloft.net>
Fri, 28 Mar 2008 23:27:33 +0000 (16:27 -0700)
discard llc packet which has bogus packet length.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/llc/llc_input.c

index c40c9b2a345aca6058d222ad662f4a830c943d7e..bfd2567dd365605afc287a684e0e91fe063d89e1 100644 (file)
@@ -117,8 +117,12 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
        skb_pull(skb, llc_len);
        if (skb->protocol == htons(ETH_P_802_2)) {
                __be16 pdulen = eth_hdr(skb)->h_proto;
-               u16 data_size = ntohs(pdulen) - llc_len;
+               s32 data_size = ntohs(pdulen) - llc_len;
 
+               if (data_size < 0 ||
+                   ((skb_tail_pointer(skb) -
+                     (u8 *)pdu) - llc_len) < data_size)
+                       return 0;
                if (unlikely(pskb_trim_rcsum(skb, data_size)))
                        return 0;
        }