From: Zhengchuan Liang <zcliangcn@gmail.com>

llc_conn_service() only rejects states above NBR_CONN_STATES, but
LLC_CONN_OUT_OF_SVC is also invalid for connection state processing.

The connection state tables are indexed by llc->state - 1, so only
states in the range 1..NBR_CONN_STATES are valid here. If a socket in
LLC_CONN_OUT_OF_SVC is still reachable and another frame is delivered
to it, llc_qualify_conn_ev() will walk the state tables with an
invalid index.

Drop LLC_CONN_OUT_OF_SVC before looking up the current state
transition. Return success for that state so repeated packets to a
stale reachable socket are ignored quietly instead of being turned
into llc_conn_service() failures.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/llc/llc_conn.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 5c0ac243b248..715d5a314071 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -360,6 +360,10 @@ static int llc_conn_service(struct sock *sk, struct sk_buff *skb)
 	struct llc_sock *llc = llc_sk(sk);
 	int rc = 1;
 
+	if (llc->state == LLC_CONN_OUT_OF_SVC) {
+		rc = 0;
+		goto out;
+	}
 	if (llc->state > NBR_CONN_STATES)
 		goto out;
 	rc = 0;
-- 
2.34.1