rose: Add length checks to CALL_REQUEST parsing

#define	ROSE_MIN_LEN			3

#define	ROSE_MIN_LEN			3

#define	ROSE_CALL_REQ_ADDR_LEN_OFF	3

#define	ROSE_CALL_REQ_ADDR_LEN_VAL	0xAA	/* each address is 10 digits */

#define	ROSE_CALL_REQ_DEST_ADDR_OFF	4

#define	ROSE_CALL_REQ_SRC_ADDR_OFF	9

#define	ROSE_CALL_REQ_FACILITIES_OFF	14

#define	ROSE_GFI			0x10

#define	ROSE_GFI			0x10

#define	ROSE_Q_BIT			0x80

#define	ROSE_Q_BIT			0x80

#define	ROSE_D_BIT			0x40

#define	ROSE_D_BIT			0x40

extern int  rose_validate_nr(struct sock *, unsigned short);

extern int  rose_validate_nr(struct sock *, unsigned short);

extern void rose_write_internal(struct sock *, int);

extern void rose_write_internal(struct sock *, int);

extern int  rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);

extern int  rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);

extern int  rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);

extern int  rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *);

extern void rose_disconnect(struct sock *, int, int, int);

extern void rose_disconnect(struct sock *, int, int, int);

/* rose_timer.c */

/* rose_timer.c */

	struct sock *make;

	struct sock *make;

	struct rose_sock *make_rose;

	struct rose_sock *make_rose;

	struct rose_facilities_struct facilities;

	struct rose_facilities_struct facilities;

	int n, len;

	int n;

	skb->sk = NULL;		/* Initially we don't know who it's for */

	skb->sk = NULL;		/* Initially we don't know who it's for */

	 */

	 */

	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));

	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));

	len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;

	if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,

	len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;

				   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,

	if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {

				   &facilities)) {

		rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);

		rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);

		return 0;

		return 0;

	}

	}

	unsigned int lci_i, lci_o;

	unsigned int lci_i, lci_o;

	while ((skb = skb_dequeue(&loopback_queue)) != NULL) {

	while ((skb = skb_dequeue(&loopback_queue)) != NULL) {

		if (skb->len < ROSE_MIN_LEN) {

			kfree_skb(skb);

			continue;

		}

		lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);

		lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);

		frametype = skb->data[2];

		frametype = skb->data[2];

		dest      = (rose_address *)(skb->data + 4);

		if (frametype == ROSE_CALL_REQUEST &&

		    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||

		     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=

		     ROSE_CALL_REQ_ADDR_LEN_VAL)) {

			kfree_skb(skb);

			continue;

		}

		dest      = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);

		lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;

		lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;

		skb_reset_transport_header(skb);

		skb_reset_transport_header(skb);

	unsigned int lci, new_lci;

	unsigned int lci, new_lci;

	unsigned char cause, diagnostic;

	unsigned char cause, diagnostic;

	struct net_device *dev;

	struct net_device *dev;

	int len, res = 0;

	int res = 0;

	char buf[11];

	char buf[11];

#if 0

#if 0

		return res;

		return res;

#endif

#endif

	if (skb->len < ROSE_MIN_LEN)

		return res;

	frametype = skb->data[2];

	frametype = skb->data[2];

	lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);

	lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);

	src_addr  = (rose_address *)(skb->data + 9);

	if (frametype == ROSE_CALL_REQUEST &&

	dest_addr = (rose_address *)(skb->data + 4);

	    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||

	     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=

	     ROSE_CALL_REQ_ADDR_LEN_VAL))

		return res;

	src_addr  = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);

	dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);

	spin_lock_bh(&rose_neigh_list_lock);

	spin_lock_bh(&rose_neigh_list_lock);

	spin_lock_bh(&rose_route_list_lock);

	spin_lock_bh(&rose_route_list_lock);

		goto out;

		goto out;

	}

	}

	len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;

	len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;

	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));

	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));

	if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {

	if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,

				   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,

				   &facilities)) {

		rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);

		rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);

		goto out;

		goto out;

	}

	}

		*dptr++ = ROSE_GFI | lci1;

		*dptr++ = ROSE_GFI | lci1;

		*dptr++ = lci2;

		*dptr++ = lci2;

		*dptr++ = frametype;

		*dptr++ = frametype;

		*dptr++ = 0xAA;

		*dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;

		memcpy(dptr, &rose->dest_addr,  ROSE_ADDR_LEN);

		memcpy(dptr, &rose->dest_addr,  ROSE_ADDR_LEN);

		dptr   += ROSE_ADDR_LEN;

		dptr   += ROSE_ADDR_LEN;

		memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);

		memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);

	do {

	do {

		switch (*p & 0xC0) {

		switch (*p & 0xC0) {

		case 0x00:

		case 0x00:

			if (len < 2)

				return -1;

			p   += 2;

			p   += 2;

			n   += 2;

			n   += 2;

			len -= 2;

			len -= 2;

			break;

			break;

		case 0x40:

		case 0x40:

			if (len < 3)

				return -1;

			if (*p == FAC_NATIONAL_RAND)

			if (*p == FAC_NATIONAL_RAND)

				facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);

				facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);

			p   += 3;

			p   += 3;

			break;

			break;

		case 0x80:

		case 0x80:

			if (len < 4)

				return -1;

			p   += 4;

			p   += 4;

			n   += 4;

			n   += 4;

			len -= 4;

			len -= 4;

			break;

			break;

		case 0xC0:

		case 0xC0:

			if (len < 2)

				return -1;

			l = p[1];

			l = p[1];

			if (len < 2 + l)

				return -1;

			if (*p == FAC_NATIONAL_DEST_DIGI) {

			if (*p == FAC_NATIONAL_DEST_DIGI) {

				if (!fac_national_digis_received) {

				if (!fac_national_digis_received) {

					if (l < AX25_ADDR_LEN)

						return -1;

					memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);

					memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);

					facilities->source_ndigis = 1;

					facilities->source_ndigis = 1;

				}

				}

			}

			}

			else if (*p == FAC_NATIONAL_SRC_DIGI) {

			else if (*p == FAC_NATIONAL_SRC_DIGI) {

				if (!fac_national_digis_received) {

				if (!fac_national_digis_received) {

					if (l < AX25_ADDR_LEN)

						return -1;

					memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);

					memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);

					facilities->dest_ndigis = 1;

					facilities->dest_ndigis = 1;

				}

				}

			}

			}

			else if (*p == FAC_NATIONAL_FAIL_CALL) {

			else if (*p == FAC_NATIONAL_FAIL_CALL) {

				if (l < AX25_ADDR_LEN)

					return -1;

				memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);

				memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);

			}

			}

			else if (*p == FAC_NATIONAL_FAIL_ADD) {

			else if (*p == FAC_NATIONAL_FAIL_ADD) {

				if (l < 1 + ROSE_ADDR_LEN)

					return -1;

				memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);

				memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);

			}

			}

			else if (*p == FAC_NATIONAL_DIGIS) {

			else if (*p == FAC_NATIONAL_DIGIS) {

				if (l % AX25_ADDR_LEN)

					return -1;

				fac_national_digis_received = 1;

				fac_national_digis_received = 1;

				facilities->source_ndigis = 0;

				facilities->source_ndigis = 0;

				facilities->dest_ndigis   = 0;

				facilities->dest_ndigis   = 0;

	do {

	do {

		switch (*p & 0xC0) {

		switch (*p & 0xC0) {

		case 0x00:

		case 0x00:

			if (len < 2)

				return -1;

			p   += 2;

			p   += 2;

			n   += 2;

			n   += 2;

			len -= 2;

			len -= 2;

			break;

			break;

		case 0x40:

		case 0x40:

			if (len < 3)

				return -1;

			p   += 3;

			p   += 3;

			n   += 3;

			n   += 3;

			len -= 3;

			len -= 3;

			break;

			break;

		case 0x80:

		case 0x80:

			if (len < 4)

				return -1;

			p   += 4;

			p   += 4;

			n   += 4;

			n   += 4;

			len -= 4;

			len -= 4;

			break;

			break;

		case 0xC0:

		case 0xC0:

			if (len < 2)

				return -1;

			l = p[1];

			l = p[1];

			/* Prevent overflows*/

			/* Prevent overflows*/

	return n;

	return n;

}

}

int rose_parse_facilities(unsigned char *p,

int rose_parse_facilities(unsigned char *p, unsigned packet_len,

	struct rose_facilities_struct *facilities)

	struct rose_facilities_struct *facilities)

{

{

	int facilities_len, len;

	int facilities_len, len;

	facilities_len = *p++;

	facilities_len = *p++;

	if (facilities_len == 0)

	if (facilities_len == 0 || (unsigned)facilities_len > packet_len)

		return 0;

		return 0;

	while (facilities_len > 0) {

	while (facilities_len >= 3 && *p == 0x00) {

		if (*p == 0x00) {

		facilities_len--;

		facilities_len--;

		p++;

		p++;

		switch (*p) {

		switch (*p) {

		case FAC_NATIONAL:		/* National */

		case FAC_NATIONAL:		/* National */

			len = rose_parse_national(p + 1, facilities, facilities_len - 1);

			len = rose_parse_national(p + 1, facilities, facilities_len - 1);

				if (len < 0)

					return 0;

				facilities_len -= len + 1;

				p += len + 1;

			break;

			break;

		case FAC_CCITT:		/* CCITT */

		case FAC_CCITT:		/* CCITT */

			len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);

			len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);

				if (len < 0)

					return 0;

				facilities_len -= len + 1;

				p += len + 1;

			break;

			break;

		default:

		default:

			printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);

			printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);

				facilities_len--;

			len = 1;

				p++;

			break;

			break;

		}

		}

		} else

			break;	/* Error in facilities format */

		if (len < 0)

			return 0;

		if (WARN_ON(len >= facilities_len))

			return 0;

		facilities_len -= len + 1;

		p += len + 1;

	}

	}

	return 1;

	return facilities_len == 0;

}

}

static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)

static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)