x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

extern int  sysctl_x25_ack_holdback_timeout;

extern int  sysctl_x25_forward;

extern int x25_parse_address_block(struct sk_buff *skb,

		struct x25_address *called_addr,

		struct x25_address *calling_addr);

extern int  x25_addr_ntoa(unsigned char *, struct x25_address *,

			  struct x25_address *);

extern int  x25_addr_aton(unsigned char *, struct x25_address *,

};

#endif

int x25_parse_address_block(struct sk_buff *skb,

		struct x25_address *called_addr,

		struct x25_address *calling_addr)

{

	unsigned char len;

	int needed;

	int rc;

	if (skb->len < 1) {

		/* packet has no address block */

		rc = 0;

		goto empty;

	}

	len = *skb->data;

	needed = 1 + (len >> 4) + (len & 0x0f);

	if (skb->len < needed) {

		/* packet is too short to hold the addresses it claims

		   to hold */

		rc = -1;

		goto empty;

	}

	return x25_addr_ntoa(skb->data, called_addr, calling_addr);

empty:

	*called_addr->x25_addr = 0;

	*calling_addr->x25_addr = 0;

	return rc;

}

int x25_addr_ntoa(unsigned char *p, struct x25_address *called_addr,

		  struct x25_address *calling_addr)

{

	/*

	 *	Extract the X.25 addresses and convert them to ASCII strings,

	 *	and remove them.

	 *

	 *	Address block is mandatory in call request packets

	 */

	addr_len = x25_addr_ntoa(skb->data, &source_addr, &dest_addr);

	addr_len = x25_parse_address_block(skb, &source_addr, &dest_addr);

	if (addr_len <= 0)

		goto out_clear_request;

	skb_pull(skb, addr_len);

	/*

	 *	Get the length of the facilities, skip past them for the moment

	 *	get the call user data because this is needed to determine

	 *	the correct listener

	 *

	 *	Facilities length is mandatory in call request packets

	 */

	if (skb->len < 1)

		goto out_clear_request;

	len = skb->data[0] + 1;

	if (skb->len < len)

		goto out_clear_request;

	skb_pull(skb,len);

	/*

		struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)

{

	unsigned char *p = skb->data;

	unsigned int len = *p++;

	unsigned int len;

	*vc_fac_mask = 0;

	memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));

	memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));

	if (skb->len < 1)

		return 0;

	len = *p++;

	if (len >= skb->len)

		return -1;

	while (len > 0) {

		switch (*p & X25_FAC_CLASS_MASK) {

		case X25_FAC_CLASS_A:

	memcpy(new, ours, sizeof(*new));

	len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);

	if (len < 0)

		return len;

	/*

	 *	They want reverse charging, we won't accept it.

static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametype)

{

	struct x25_address source_addr, dest_addr;

	int len;

	switch (frametype) {

		case X25_CALL_ACCEPTED: {

			 *	Parse the data in the frame.

			 */

			skb_pull(skb, X25_STD_MIN_LEN);

			skb_pull(skb, x25_addr_ntoa(skb->data, &source_addr, &dest_addr));

			skb_pull(skb,

				 x25_parse_facilities(skb, &x25->facilities,

			len = x25_parse_address_block(skb, &source_addr,

						&dest_addr);

			if (len > 0)

				skb_pull(skb, len);

			len = x25_parse_facilities(skb, &x25->facilities,

						&x25->dte_facilities,

						&x25->vc_facil_mask));

						&x25->vc_facil_mask);

			if (len > 0)

				skb_pull(skb, len);

			/*

			 *	Copy any Call User Data.

			 */