memory corruption in X.25 facilities parsing
[linux-3.10.git] / net / x25 / x25_facilities.c
1 /*
2  *      X.25 Packet Layer release 002
3  *
4  *      This is ALPHA test software. This code may break your machine,
5  *      randomly fail to work with new releases, misbehave and/or generally
6  *      screw up. It might even work.
7  *
8  *      This code REQUIRES 2.1.15 or higher
9  *
10  *      This module:
11  *              This module is free software; you can redistribute it and/or
12  *              modify it under the terms of the GNU General Public License
13  *              as published by the Free Software Foundation; either version
14  *              2 of the License, or (at your option) any later version.
15  *
16  *      History
17  *      X.25 001        Split from x25_subr.c
18  *      mar/20/00       Daniela Squassoni Disabling/enabling of facilities
19  *                                        negotiation.
20  *      apr/14/05       Shaun Pereira - Allow fast select with no restriction
21  *                                      on response.
22  */
23
24 #include <linux/kernel.h>
25 #include <linux/string.h>
26 #include <linux/skbuff.h>
27 #include <net/sock.h>
28 #include <net/x25.h>
29
30 /*
31  * Parse a set of facilities into the facilities structures. Unrecognised
32  *      facilities are written to the debug log file.
33  */
34 int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
35                 struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
36 {
37         unsigned char *p = skb->data;
38         unsigned int len;
39
40         *vc_fac_mask = 0;
41
42         /*
43          * The kernel knows which facilities were set on an incoming call but
44          * currently this information is not available to userspace.  Here we
45          * give userspace who read incoming call facilities 0 length to indicate
46          * it wasn't set.
47          */
48         dte_facs->calling_len = 0;
49         dte_facs->called_len = 0;
50         memset(dte_facs->called_ae, '\0', sizeof(dte_facs->called_ae));
51         memset(dte_facs->calling_ae, '\0', sizeof(dte_facs->calling_ae));
52
53         if (skb->len < 1)
54                 return 0;
55
56         len = *p++;
57
58         if (len >= skb->len)
59                 return -1;
60
61         while (len > 0) {
62                 switch (*p & X25_FAC_CLASS_MASK) {
63                 case X25_FAC_CLASS_A:
64                         switch (*p) {
65                         case X25_FAC_REVERSE:
66                                 if((p[1] & 0x81) == 0x81) {
67                                         facilities->reverse = p[1] & 0x81;
68                                         *vc_fac_mask |= X25_MASK_REVERSE;
69                                         break;
70                                 }
71
72                                 if((p[1] & 0x01) == 0x01) {
73                                         facilities->reverse = p[1] & 0x01;
74                                         *vc_fac_mask |= X25_MASK_REVERSE;
75                                         break;
76                                 }
77
78                                 if((p[1] & 0x80) == 0x80) {
79                                         facilities->reverse = p[1] & 0x80;
80                                         *vc_fac_mask |= X25_MASK_REVERSE;
81                                         break;
82                                 }
83
84                                 if(p[1] == 0x00) {
85                                         facilities->reverse
86                                                 = X25_DEFAULT_REVERSE;
87                                         *vc_fac_mask |= X25_MASK_REVERSE;
88                                         break;
89                                 }
90
91                         case X25_FAC_THROUGHPUT:
92                                 facilities->throughput = p[1];
93                                 *vc_fac_mask |= X25_MASK_THROUGHPUT;
94                                 break;
95                         case X25_MARKER:
96                                 break;
97                         default:
98                                 printk(KERN_DEBUG "X.25: unknown facility "
99                                        "%02X, value %02X\n",
100                                        p[0], p[1]);
101                                 break;
102                         }
103                         p   += 2;
104                         len -= 2;
105                         break;
106                 case X25_FAC_CLASS_B:
107                         switch (*p) {
108                         case X25_FAC_PACKET_SIZE:
109                                 facilities->pacsize_in  = p[1];
110                                 facilities->pacsize_out = p[2];
111                                 *vc_fac_mask |= X25_MASK_PACKET_SIZE;
112                                 break;
113                         case X25_FAC_WINDOW_SIZE:
114                                 facilities->winsize_in  = p[1];
115                                 facilities->winsize_out = p[2];
116                                 *vc_fac_mask |= X25_MASK_WINDOW_SIZE;
117                                 break;
118                         default:
119                                 printk(KERN_DEBUG "X.25: unknown facility "
120                                        "%02X, values %02X, %02X\n",
121                                        p[0], p[1], p[2]);
122                                 break;
123                         }
124                         p   += 3;
125                         len -= 3;
126                         break;
127                 case X25_FAC_CLASS_C:
128                         printk(KERN_DEBUG "X.25: unknown facility %02X, "
129                                "values %02X, %02X, %02X\n",
130                                p[0], p[1], p[2], p[3]);
131                         p   += 4;
132                         len -= 4;
133                         break;
134                 case X25_FAC_CLASS_D:
135                         switch (*p) {
136                         case X25_FAC_CALLING_AE:
137                                 if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
138                                         return 0;
139                                 dte_facs->calling_len = p[2];
140                                 memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
141                                 *vc_fac_mask |= X25_MASK_CALLING_AE;
142                                 break;
143                         case X25_FAC_CALLED_AE:
144                                 if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
145                                         return 0;
146                                 dte_facs->called_len = p[2];
147                                 memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
148                                 *vc_fac_mask |= X25_MASK_CALLED_AE;
149                                 break;
150                         default:
151                                 printk(KERN_DEBUG "X.25: unknown facility %02X,"
152                                         "length %d, values %02X, %02X, "
153                                         "%02X, %02X\n",
154                                         p[0], p[1], p[2], p[3], p[4], p[5]);
155                                 break;
156                         }
157                         len -= p[1] + 2;
158                         p += p[1] + 2;
159                         break;
160                 }
161         }
162
163         return p - skb->data;
164 }
165
166 /*
167  *      Create a set of facilities.
168  */
169 int x25_create_facilities(unsigned char *buffer,
170                 struct x25_facilities *facilities,
171                 struct x25_dte_facilities *dte_facs, unsigned long facil_mask)
172 {
173         unsigned char *p = buffer + 1;
174         int len;
175
176         if (!facil_mask) {
177                 /*
178                  * Length of the facilities field in call_req or
179                  * call_accept packets
180                  */
181                 buffer[0] = 0;
182                 len = 1; /* 1 byte for the length field */
183                 return len;
184         }
185
186         if (facilities->reverse && (facil_mask & X25_MASK_REVERSE)) {
187                 *p++ = X25_FAC_REVERSE;
188                 *p++ = facilities->reverse;
189         }
190
191         if (facilities->throughput && (facil_mask & X25_MASK_THROUGHPUT)) {
192                 *p++ = X25_FAC_THROUGHPUT;
193                 *p++ = facilities->throughput;
194         }
195
196         if ((facilities->pacsize_in || facilities->pacsize_out) &&
197             (facil_mask & X25_MASK_PACKET_SIZE)) {
198                 *p++ = X25_FAC_PACKET_SIZE;
199                 *p++ = facilities->pacsize_in ? : facilities->pacsize_out;
200                 *p++ = facilities->pacsize_out ? : facilities->pacsize_in;
201         }
202
203         if ((facilities->winsize_in || facilities->winsize_out) &&
204             (facil_mask & X25_MASK_WINDOW_SIZE)) {
205                 *p++ = X25_FAC_WINDOW_SIZE;
206                 *p++ = facilities->winsize_in ? : facilities->winsize_out;
207                 *p++ = facilities->winsize_out ? : facilities->winsize_in;
208         }
209
210         if (facil_mask & (X25_MASK_CALLING_AE|X25_MASK_CALLED_AE)) {
211                 *p++ = X25_MARKER;
212                 *p++ = X25_DTE_SERVICES;
213         }
214
215         if (dte_facs->calling_len && (facil_mask & X25_MASK_CALLING_AE)) {
216                 unsigned bytecount = (dte_facs->calling_len + 1) >> 1;
217                 *p++ = X25_FAC_CALLING_AE;
218                 *p++ = 1 + bytecount;
219                 *p++ = dte_facs->calling_len;
220                 memcpy(p, dte_facs->calling_ae, bytecount);
221                 p += bytecount;
222         }
223
224         if (dte_facs->called_len && (facil_mask & X25_MASK_CALLED_AE)) {
225                 unsigned bytecount = (dte_facs->called_len % 2) ?
226                 dte_facs->called_len / 2 + 1 :
227                 dte_facs->called_len / 2;
228                 *p++ = X25_FAC_CALLED_AE;
229                 *p++ = 1 + bytecount;
230                 *p++ = dte_facs->called_len;
231                 memcpy(p, dte_facs->called_ae, bytecount);
232                 p+=bytecount;
233         }
234
235         len       = p - buffer;
236         buffer[0] = len - 1;
237
238         return len;
239 }
240
241 /*
242  *      Try to reach a compromise on a set of facilities.
243  *
244  *      The only real problem is with reverse charging.
245  */
246 int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
247                 struct x25_facilities *new, struct x25_dte_facilities *dte)
248 {
249         struct x25_sock *x25 = x25_sk(sk);
250         struct x25_facilities *ours = &x25->facilities;
251         struct x25_facilities theirs;
252         int len;
253
254         memset(&theirs, 0, sizeof(theirs));
255         memcpy(new, ours, sizeof(*new));
256
257         len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
258         if (len < 0)
259                 return len;
260
261         /*
262          *      They want reverse charging, we won't accept it.
263          */
264         if ((theirs.reverse & 0x01 ) && (ours->reverse & 0x01)) {
265                 SOCK_DEBUG(sk, "X.25: rejecting reverse charging request\n");
266                 return -1;
267         }
268
269         new->reverse = theirs.reverse;
270
271         if (theirs.throughput) {
272                 int theirs_in =  theirs.throughput & 0x0f;
273                 int theirs_out = theirs.throughput & 0xf0;
274                 int ours_in  = ours->throughput & 0x0f;
275                 int ours_out = ours->throughput & 0xf0;
276                 if (!ours_in || theirs_in < ours_in) {
277                         SOCK_DEBUG(sk, "X.25: inbound throughput negotiated\n");
278                         new->throughput = (new->throughput & 0xf0) | theirs_in;
279                 }
280                 if (!ours_out || theirs_out < ours_out) {
281                         SOCK_DEBUG(sk,
282                                 "X.25: outbound throughput negotiated\n");
283                         new->throughput = (new->throughput & 0x0f) | theirs_out;
284                 }
285         }
286
287         if (theirs.pacsize_in && theirs.pacsize_out) {
288                 if (theirs.pacsize_in < ours->pacsize_in) {
289                         SOCK_DEBUG(sk, "X.25: packet size inwards negotiated down\n");
290                         new->pacsize_in = theirs.pacsize_in;
291                 }
292                 if (theirs.pacsize_out < ours->pacsize_out) {
293                         SOCK_DEBUG(sk, "X.25: packet size outwards negotiated down\n");
294                         new->pacsize_out = theirs.pacsize_out;
295                 }
296         }
297
298         if (theirs.winsize_in && theirs.winsize_out) {
299                 if (theirs.winsize_in < ours->winsize_in) {
300                         SOCK_DEBUG(sk, "X.25: window size inwards negotiated down\n");
301                         new->winsize_in = theirs.winsize_in;
302                 }
303                 if (theirs.winsize_out < ours->winsize_out) {
304                         SOCK_DEBUG(sk, "X.25: window size outwards negotiated down\n");
305                         new->winsize_out = theirs.winsize_out;
306                 }
307         }
308
309         return len;
310 }
311
312 /*
313  *      Limit values of certain facilities according to the capability of the
314  *      currently attached x25 link.
315  */
316 void x25_limit_facilities(struct x25_facilities *facilities,
317                           struct x25_neigh *nb)
318 {
319
320         if (!nb->extended) {
321                 if (facilities->winsize_in  > 7) {
322                         printk(KERN_DEBUG "X.25: incoming winsize limited to 7\n");
323                         facilities->winsize_in = 7;
324                 }
325                 if (facilities->winsize_out > 7) {
326                         facilities->winsize_out = 7;
327                         printk( KERN_DEBUG "X.25: outgoing winsize limited to 7\n");
328                 }
329         }
330 }