[netdrvr] smc91x: fix resource removal (null ptr deref)
[linux-2.6] / net / x25 / x25_subr.c
1 /*
2  *      X.25 Packet Layer release 002
3  *
4  *      This is ALPHA test software. This code may break your machine,
5  *      randomly fail to work with new releases, misbehave and/or generally
6  *      screw up. It might even work.
7  *
8  *      This code REQUIRES 2.1.15 or higher
9  *
10  *      This module:
11  *              This module is free software; you can redistribute it and/or
12  *              modify it under the terms of the GNU General Public License
13  *              as published by the Free Software Foundation; either version
14  *              2 of the License, or (at your option) any later version.
15  *
16  *      History
17  *      X.25 001        Jonathan Naylor   Started coding.
18  *      X.25 002        Jonathan Naylor   Centralised disconnection processing.
19  *      mar/20/00       Daniela Squassoni Disabling/enabling of facilities
20  *                                        negotiation.
21  *      jun/24/01       Arnaldo C. Melo   use skb_queue_purge, cleanups
22  *      apr/04/15       Shaun Pereira           Fast select with no
23  *                                              restriction on response.
24  */
25
26 #include <linux/kernel.h>
27 #include <linux/string.h>
28 #include <linux/skbuff.h>
29 #include <net/sock.h>
30 #include <net/tcp_states.h>
31 #include <net/x25.h>
32
33 /*
34  *      This routine purges all of the queues of frames.
35  */
36 void x25_clear_queues(struct sock *sk)
37 {
38         struct x25_sock *x25 = x25_sk(sk);
39
40         skb_queue_purge(&sk->sk_write_queue);
41         skb_queue_purge(&x25->ack_queue);
42         skb_queue_purge(&x25->interrupt_in_queue);
43         skb_queue_purge(&x25->interrupt_out_queue);
44         skb_queue_purge(&x25->fragment_queue);
45 }
46
47
48 /*
49  * This routine purges the input queue of those frames that have been
50  * acknowledged. This replaces the boxes labelled "V(a) <- N(r)" on the
51  * SDL diagram.
52 */
53 void x25_frames_acked(struct sock *sk, unsigned short nr)
54 {
55         struct sk_buff *skb;
56         struct x25_sock *x25 = x25_sk(sk);
57         int modulus = x25->neighbour->extended ? X25_EMODULUS : X25_SMODULUS;
58
59         /*
60          * Remove all the ack-ed frames from the ack queue.
61          */
62         if (x25->va != nr)
63                 while (skb_peek(&x25->ack_queue) && x25->va != nr) {
64                         skb = skb_dequeue(&x25->ack_queue);
65                         kfree_skb(skb);
66                         x25->va = (x25->va + 1) % modulus;
67                 }
68 }
69
70 void x25_requeue_frames(struct sock *sk)
71 {
72         struct sk_buff *skb, *skb_prev = NULL;
73
74         /*
75          * Requeue all the un-ack-ed frames on the output queue to be picked
76          * up by x25_kick. This arrangement handles the possibility of an empty
77          * output queue.
78          */
79         while ((skb = skb_dequeue(&x25_sk(sk)->ack_queue)) != NULL) {
80                 if (!skb_prev)
81                         skb_queue_head(&sk->sk_write_queue, skb);
82                 else
83                         skb_append(skb_prev, skb, &sk->sk_write_queue);
84                 skb_prev = skb;
85         }
86 }
87
88 /*
89  *      Validate that the value of nr is between va and vs. Return true or
90  *      false for testing.
91  */
92 int x25_validate_nr(struct sock *sk, unsigned short nr)
93 {
94         struct x25_sock *x25 = x25_sk(sk);
95         unsigned short vc = x25->va;
96         int modulus = x25->neighbour->extended ? X25_EMODULUS : X25_SMODULUS;
97
98         while (vc != x25->vs) {
99                 if (nr == vc)
100                         return 1;
101                 vc = (vc + 1) % modulus;
102         }
103
104         return nr == x25->vs ? 1 : 0;
105 }
106
107 /*
108  *  This routine is called when the packet layer internally generates a
109  *  control frame.
110  */
111 void x25_write_internal(struct sock *sk, int frametype)
112 {
113         struct x25_sock *x25 = x25_sk(sk);
114         struct sk_buff *skb;
115         unsigned char  *dptr;
116         unsigned char  facilities[X25_MAX_FAC_LEN];
117         unsigned char  addresses[1 + X25_ADDR_LEN];
118         unsigned char  lci1, lci2;
119         /*
120          *      Default safe frame size.
121          */
122         int len = X25_MAX_L2_LEN + X25_EXT_MIN_LEN;
123
124         /*
125          *      Adjust frame size.
126          */
127         switch (frametype) {
128                 case X25_CALL_REQUEST:
129                         len += 1 + X25_ADDR_LEN + X25_MAX_FAC_LEN +
130                                X25_MAX_CUD_LEN;
131                         break;
132                 case X25_CALL_ACCEPTED: /* fast sel with no restr on resp */
133                         if(x25->facilities.reverse & 0x80) {
134                                 len += 1 + X25_MAX_FAC_LEN + X25_MAX_CUD_LEN;
135                         } else {
136                                 len += 1 + X25_MAX_FAC_LEN;
137                         }
138                         break;
139                 case X25_CLEAR_REQUEST:
140                 case X25_RESET_REQUEST:
141                         len += 2;
142                         break;
143                 case X25_RR:
144                 case X25_RNR:
145                 case X25_REJ:
146                 case X25_CLEAR_CONFIRMATION:
147                 case X25_INTERRUPT_CONFIRMATION:
148                 case X25_RESET_CONFIRMATION:
149                         break;
150                 default:
151                         printk(KERN_ERR "X.25: invalid frame type %02X\n",
152                                frametype);
153                         return;
154         }
155
156         if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
157                 return;
158
159         /*
160          *      Space for Ethernet and 802.2 LLC headers.
161          */
162         skb_reserve(skb, X25_MAX_L2_LEN);
163
164         /*
165          *      Make space for the GFI and LCI, and fill them in.
166          */
167         dptr = skb_put(skb, 2);
168
169         lci1 = (x25->lci >> 8) & 0x0F;
170         lci2 = (x25->lci >> 0) & 0xFF;
171
172         if (x25->neighbour->extended) {
173                 *dptr++ = lci1 | X25_GFI_EXTSEQ;
174                 *dptr++ = lci2;
175         } else {
176                 *dptr++ = lci1 | X25_GFI_STDSEQ;
177                 *dptr++ = lci2;
178         }
179
180         /*
181          *      Now fill in the frame type specific information.
182          */
183         switch (frametype) {
184
185                 case X25_CALL_REQUEST:
186                         dptr    = skb_put(skb, 1);
187                         *dptr++ = X25_CALL_REQUEST;
188                         len     = x25_addr_aton(addresses, &x25->dest_addr,
189                                                 &x25->source_addr);
190                         dptr    = skb_put(skb, len);
191                         memcpy(dptr, addresses, len);
192                         len     = x25_create_facilities(facilities,
193                                         &x25->facilities,
194                                         &x25->dte_facilities,
195                                         x25->neighbour->global_facil_mask);
196                         dptr    = skb_put(skb, len);
197                         memcpy(dptr, facilities, len);
198                         dptr = skb_put(skb, x25->calluserdata.cudlength);
199                         memcpy(dptr, x25->calluserdata.cuddata,
200                                x25->calluserdata.cudlength);
201                         x25->calluserdata.cudlength = 0;
202                         break;
203
204                 case X25_CALL_ACCEPTED:
205                         dptr    = skb_put(skb, 2);
206                         *dptr++ = X25_CALL_ACCEPTED;
207                         *dptr++ = 0x00;         /* Address lengths */
208                         len     = x25_create_facilities(facilities,
209                                                         &x25->facilities,
210                                                         &x25->dte_facilities,
211                                                         x25->vc_facil_mask);
212                         dptr    = skb_put(skb, len);
213                         memcpy(dptr, facilities, len);
214
215                         /* fast select with no restriction on response
216                                 allows call user data. Userland must
217                                 ensure it is ours and not theirs */
218                         if(x25->facilities.reverse & 0x80) {
219                                 dptr = skb_put(skb,
220                                         x25->calluserdata.cudlength);
221                                 memcpy(dptr, x25->calluserdata.cuddata,
222                                        x25->calluserdata.cudlength);
223                         }
224                         x25->calluserdata.cudlength = 0;
225                         break;
226
227                 case X25_CLEAR_REQUEST:
228                 case X25_RESET_REQUEST:
229                         dptr    = skb_put(skb, 3);
230                         *dptr++ = frametype;
231                         *dptr++ = 0x00;         /* XXX */
232                         *dptr++ = 0x00;         /* XXX */
233                         break;
234
235                 case X25_RR:
236                 case X25_RNR:
237                 case X25_REJ:
238                         if (x25->neighbour->extended) {
239                                 dptr     = skb_put(skb, 2);
240                                 *dptr++  = frametype;
241                                 *dptr++  = (x25->vr << 1) & 0xFE;
242                         } else {
243                                 dptr     = skb_put(skb, 1);
244                                 *dptr    = frametype;
245                                 *dptr++ |= (x25->vr << 5) & 0xE0;
246                         }
247                         break;
248
249                 case X25_CLEAR_CONFIRMATION:
250                 case X25_INTERRUPT_CONFIRMATION:
251                 case X25_RESET_CONFIRMATION:
252                         dptr  = skb_put(skb, 1);
253                         *dptr = frametype;
254                         break;
255         }
256
257         x25_transmit_link(skb, x25->neighbour);
258 }
259
260 /*
261  *      Unpick the contents of the passed X.25 Packet Layer frame.
262  */
263 int x25_decode(struct sock *sk, struct sk_buff *skb, int *ns, int *nr, int *q,
264                int *d, int *m)
265 {
266         struct x25_sock *x25 = x25_sk(sk);
267         unsigned char *frame = skb->data;
268
269         *ns = *nr = *q = *d = *m = 0;
270
271         switch (frame[2]) {
272                 case X25_CALL_REQUEST:
273                 case X25_CALL_ACCEPTED:
274                 case X25_CLEAR_REQUEST:
275                 case X25_CLEAR_CONFIRMATION:
276                 case X25_INTERRUPT:
277                 case X25_INTERRUPT_CONFIRMATION:
278                 case X25_RESET_REQUEST:
279                 case X25_RESET_CONFIRMATION:
280                 case X25_RESTART_REQUEST:
281                 case X25_RESTART_CONFIRMATION:
282                 case X25_REGISTRATION_REQUEST:
283                 case X25_REGISTRATION_CONFIRMATION:
284                 case X25_DIAGNOSTIC:
285                         return frame[2];
286         }
287
288         if (x25->neighbour->extended) {
289                 if (frame[2] == X25_RR  ||
290                     frame[2] == X25_RNR ||
291                     frame[2] == X25_REJ) {
292                         *nr = (frame[3] >> 1) & 0x7F;
293                         return frame[2];
294                 }
295         } else {
296                 if ((frame[2] & 0x1F) == X25_RR  ||
297                     (frame[2] & 0x1F) == X25_RNR ||
298                     (frame[2] & 0x1F) == X25_REJ) {
299                         *nr = (frame[2] >> 5) & 0x07;
300                         return frame[2] & 0x1F;
301                 }
302         }
303
304         if (x25->neighbour->extended) {
305                 if ((frame[2] & 0x01) == X25_DATA) {
306                         *q  = (frame[0] & X25_Q_BIT) == X25_Q_BIT;
307                         *d  = (frame[0] & X25_D_BIT) == X25_D_BIT;
308                         *m  = (frame[3] & X25_EXT_M_BIT) == X25_EXT_M_BIT;
309                         *nr = (frame[3] >> 1) & 0x7F;
310                         *ns = (frame[2] >> 1) & 0x7F;
311                         return X25_DATA;
312                 }
313         } else {
314                 if ((frame[2] & 0x01) == X25_DATA) {
315                         *q  = (frame[0] & X25_Q_BIT) == X25_Q_BIT;
316                         *d  = (frame[0] & X25_D_BIT) == X25_D_BIT;
317                         *m  = (frame[2] & X25_STD_M_BIT) == X25_STD_M_BIT;
318                         *nr = (frame[2] >> 5) & 0x07;
319                         *ns = (frame[2] >> 1) & 0x07;
320                         return X25_DATA;
321                 }
322         }
323
324         printk(KERN_DEBUG "X.25: invalid PLP frame %02X %02X %02X\n",
325                frame[0], frame[1], frame[2]);
326
327         return X25_ILLEGAL;
328 }
329
330 void x25_disconnect(struct sock *sk, int reason, unsigned char cause,
331                     unsigned char diagnostic)
332 {
333         struct x25_sock *x25 = x25_sk(sk);
334
335         x25_clear_queues(sk);
336         x25_stop_timer(sk);
337
338         x25->lci   = 0;
339         x25->state = X25_STATE_0;
340
341         x25->causediag.cause      = cause;
342         x25->causediag.diagnostic = diagnostic;
343
344         sk->sk_state     = TCP_CLOSE;
345         sk->sk_err       = reason;
346         sk->sk_shutdown |= SEND_SHUTDOWN;
347
348         if (!sock_flag(sk, SOCK_DEAD)) {
349                 sk->sk_state_change(sk);
350                 sock_set_flag(sk, SOCK_DEAD);
351         }
352 }
353
354 /*
355  * Clear an own-rx-busy condition and tell the peer about this, provided
356  * that there is a significant amount of free receive buffer space available.
357  */
358 void x25_check_rbuf(struct sock *sk)
359 {
360         struct x25_sock *x25 = x25_sk(sk);
361
362         if (atomic_read(&sk->sk_rmem_alloc) < (sk->sk_rcvbuf >> 1) &&
363             (x25->condition & X25_COND_OWN_RX_BUSY)) {
364                 x25->condition &= ~X25_COND_OWN_RX_BUSY;
365                 x25->condition &= ~X25_COND_ACK_PENDING;
366                 x25->vl         = x25->vr;
367                 x25_write_internal(sk, X25_RR);
368                 x25_stop_timer(sk);
369         }
370 }
371