From 27785d83e4256fedeff45256d4c827fdcb47f2ce Mon Sep 17 00:00:00 2001 From: Joonwoo Park Date: Fri, 28 Mar 2008 16:27:33 -0700 Subject: [LLC]: bogus llc packet length discard llc packet which has bogus packet length. Signed-off-by: Joonwoo Park Acked-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- net/llc/llc_input.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'net/llc/llc_input.c') diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c index c40c9b2a345..bfd2567dd36 100644 --- a/net/llc/llc_input.c +++ b/net/llc/llc_input.c @@ -117,8 +117,12 @@ static inline int llc_fixup_skb(struct sk_buff *skb) skb_pull(skb, llc_len); if (skb->protocol == htons(ETH_P_802_2)) { __be16 pdulen = eth_hdr(skb)->h_proto; - u16 data_size = ntohs(pdulen) - llc_len; + s32 data_size = ntohs(pdulen) - llc_len; + if (data_size < 0 || + ((skb_tail_pointer(skb) - + (u8 *)pdu) - llc_len) < data_size) + return 0; if (unlikely(pskb_trim_rcsum(skb, data_size))) return 0; } -- cgit v1.2.3-70-g09d2