[PATCH] x25: drop packet on invalid facility headers

From: Andy Whitcroft
Date: Mon Jan 31 2011 - 05:37:36 EST

The commit below introduced additional checks for invalid facilities,
and a new return path when these were detected:

commit a6331d6f9a4298173b413cf99a40cc86a9d92c37
Author: andrew hendry <andrew.hendry@xxxxxxxxx>
Date: Wed Nov 3 12:54:53 2010 +0000

memory corruption in X.25 facilities parsing

This new return path short circuits packet handling, the new return -1

static int x25_state1_machine(struct sock *sk, struct sk_buff *skb,
int frametype)
len = x25_parse_facilities(skb, &x25->facilities,
if (len > 0)
skb_pull(skb, len);
return -1;

This return code is passed back up the chain (via x25_process_rx_frame)
and is interpreted as below by the caller:

int x25_backlog_rcv(struct sock *sk, struct sk_buff *skb)
int queued = x25_process_rx_frame(sk, skb);

if (!queued)

return 0;

Here we interpret the non-zero status as indicating the skb has been
requeued and should be preserved. As we have not actually done so it
will be leaked.

Fix this up by indicating that the packet should be dropped.

Signed-off-by: Andy Whitcroft <apw@xxxxxxxxxxxxx>
net/x25/x25_in.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index f729f02..213b93a 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -120,7 +120,7 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
if (len > 0)
skb_pull(skb, len);
- return -1;
+ return 0;
* Copy any Call User Data.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/