summaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAgeFilesLines
* [NETFILTER]: ip_nat_proto_gre: do not modify/corrupt GREv0 packets through NATJorge Boncompte2007-05-041-13/+8
| | | | | | | | | | | | | | | | While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack and nat modules to a 2.4.32 kernel I noticed that the gre_key function returns a wrong pointer to the GRE key of a version 0 packet thus corrupting the packet payload. The intended behaviour for GREv0 packets is to act like ip_conntrack_proto_generic/ip_nat_proto_unknown so I have ripped the offending functions (not used anymore) and modified the ip_nat_proto_gre modules to not touch version 0 (non PPTP) packets. Signed-off-by: Jorge Boncompte <jorge@dti2.net> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: Disallow RH0 by default (CVE-2007-2242)Adrian Bunk2007-05-012-7/+41
| | | | | | | | | | A security issue is emerging. Disallow Routing Header Type 0 by default as we have been doing for IPv4. This version already includes a fix for the original patch. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETLINK]: Infinite recursion in netlink (CVE-2007-1861)Adrian Bunk2007-05-011-1/+11
| | | | | | | | | | | | | | | | | | | | | Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, which resulted in infinite recursion and stack overflow. The bug is present in all kernel versions since the feature appeared. The patch also makes some minimal cleanup: 1. Return something consistent (-ENOENT) when fib table is missing 2. Do not crash when queue is empty (does not happen, but yet) 3. Put result of lookup Sergey Vlasov: Oops fix Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* IrDA: irttp_dup spin_lock initialisationGuennadi Liakhovetski2007-04-251-0/+1
| | | | | | | | | | | Without this initialization one gets kernel BUG at kernel/rtmutex_common.h:80! Signed-off-by: G. Liakhovetski <gl@dsa-ac.de> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* IrDA: Incorrect TTP header reservationJeet Chaudhuri2007-04-251-2/+2
| | | | | | | | | | We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in. This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size is greater than 0. Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IrDA]: Correctly handling socket errorOlaf Kirch2007-04-201-2/+1
| | | | | | | | | | | | | | | | | | This patch fixes an oops first reported in mid 2006 - see http://lkml.org/lkml/2006/8/29/358 The cause of this bug report is that when an error is signalled on the socket, irda_recvmsg_stream returns without removing a local wait_queue variable from the socket's sk_sleep queue. This causes havoc further down the road. In response to this problem, a patch was made that invoked sock_orphan on the socket when receiving a disconnect indication. This is not a good fix, as this sets sk_sleep to NULL, causing applications sleeping in recvmsg (and other places) to oops. Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET]: Fix UDP checksum issue in net poll mode.Aubrey Li2007-04-201-0/+7
| | | | | | | | | | | In net poll mode, the current checksum function doesn't consider the kind of packet which is padded to reach a specific minimum length. I believe that's the problem causing my test case failed. The following patch fixed this issue. Signed-off-by: Aubrey Li <aubreylee@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET_SCHED]: cls_tcindex: fix compatibility breakagePatrick McHardy2007-04-131-2/+2
| | | | | | | | | | | | Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed to expect and use a u16 value in 2.6.11, which broke compatibility on big endian machines. Change back to use int. Reported by Ole Reinartz <ole.reinartz@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPSEC]: Reject packets within replay window but outside the bit maskHerbert Xu2007-04-131-1/+2
| | | | | | | | | | | | | Up until this point we've accepted replay window settings greater than 32 but our bit mask can only accomodate 32 packets. Thus any packet with a sequence number within the window but outside the bit mask would be accepted. This patch causes those packets to be rejected instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.John Heffner2007-04-131-0/+3
| | | | | | Signed-off-by: John Heffner <jheffner@psc.edu> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPv6]: Fix incorrect length check in rawv6_sendmsg()YOSHIFUJI Hideaki2007-04-132-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says: > From: Sridhar Samudrala <sri@us.ibm.com> > Date: Thu, 29 Mar 2007 14:17:28 -0700 > > > The check for length in rawv6_sendmsg() is incorrect. > > As len is an unsigned int, (len < 0) will never be TRUE. > > I think checking for IPV6_MAXPLEN(65535) is better. > > > > Is it possible to send ipv6 jumbo packets using raw > > sockets? If so, we can remove this check. > > I don't see why such a limitation against jumbo would exist, > does anyone else? > > Thanks for catching this Sridhar. A good compiler should simply > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't > you think :-) Dave, we use "int" for returning value, so we should fix this anyway, IMHO; we should not allow len > INT_MAX. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET_SCHED]: cls_basic: fix memory leak in basic_destroyPatrick McHardy2007-04-131-0/+1
| | | | | | | | tp->root is not freed on destruction. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* APPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)Jean Delvare2007-04-101-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* tcp: fix cubic scaling errorStephen Hemminger2007-04-081-3/+3
| | | | | | | | | | | | | | | | | | | | Doug Leith observed a discrepancy between the version of CUBIC described in the papers and the version in 2.6.18. A math error related to scaling causes Cubic to grow too slowly. Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that it does fix the problems. See the following to show behavior over 500ms 100 Mbit link. Sender (2.6.19-rc3) --- Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3) 1G [netem] 100M http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IFB]: Fix crash on input device removalPatrick McHardy2007-04-033-6/+6
| | | | | | | | | | | The input_device pointer is not refcounted, which means the device may disappear while packets are queued, causing a crash when ifb passes packets with a stale skb->dev pointer to netif_rx(). Fix by storing the interface index instead and do a lookup where neccessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.YOSHIFUJI Hideaki2007-03-281-1/+1
| | | | | | | | | | | | | Tetsuo Handa <handat@pm.nttdata.co.jp> told me that connect(2) with TCPv6 socket almost always took a few minutes to return when we did not have any ports available in the range of net.ipv4.ip_local_port_range. The reason was that we used incorrect seed for calculating index of hash when we check established sockets in __inet6_check_established(). Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET_SCHED]: Fix ingress lockingPatrick McHardy2007-03-281-2/+2
| | | | | | | | | | Ingress queueing uses a seperate lock for serializing enqueue operations, but fails to properly protect itself against concurrent changes to the qdisc tree. Use queue_lock for now since the real fix it quite intrusive. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET_SCHED]: cls_basic: fix NULL pointer dereferencePatrick McHardy2007-03-281-10/+7
| | | | | | | | | | | | | cls_basic doesn't allocate tp->root before it is linked into the active classifier list, resulting in a NULL pointer dereference when packets hit the classifier before its ->change function is called. Reported by Chris Madden <chris@reflexsecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET_SCHED]: Fix endless loops caused by inaccurate qlen countersPatrick McHardy2007-03-2811-48/+126
| | | | | | | | | | | | | | | | | | | | | | There are multiple problems related to qlen adjustment that can lead to an upper qdisc getting out of sync with the real number of packets queued, leading to endless dequeueing attempts by the upper layer code. All qdiscs must maintain an accurate q.qlen counter. There are basically two groups of operations affecting the qlen: operations that propagate down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the root qdisc and operations only affecting a subtree or single qdisc (change, graft, delete class). Since qlen changes during operations from the second group don't propagate to ancestor qdiscs, their qlen values become desynchronized. This patch adds a function to propagate qlen changes up the qdisc tree, optionally calling a callback function to perform qdisc-internal maintenance when the child qdisc is deactivated, and converts all qdiscs to use this where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: tcp conntrack: accept SYN|URG as validPatrick McHardy2007-03-242-2/+6
| | | | | | | | | | Some stacks apparently send packets with SYN|URG set. Linux accepts these packets, so TCP conntrack should to. Pointed out by Martijn Posthuma <posthuma@sangine.com>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nfnetlink_log: fix use after freeMichał Mirosław2007-03-241-1/+1
| | | | | | | | | Paranoia: instance_put() might have freed the inst pointer when we spin_unlock_bh(). Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nfnetlink_log: fix reference leakMichał Mirosław2007-03-241-3/+4
| | | | | | | | | Stop reference leaking in nfulnl_log_packet(). If we start a timer we are already taking another reference. Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereferenceMichał Mirosław2007-03-241-0/+4
| | | | | | | | Eliminate possible NULL pointer dereference in nfulnl_recv_config(). Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nfnetlink_log: fix NULL pointer dereferenceMichał Mirosław2007-03-241-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the nasty NULL dereference on multiple packets per netlink message. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004 printing eip: f8a4b3bf *pde = 00000000 Oops: 0002 [#1] SMP Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack _ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_ cd cdrom CPU: 0 EIP: 0060:[<f8a4b3bf>] Not tainted VLI EFLAGS: 00010206 (2.6.20 #5) EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log] eax: 00000000 ebx: f2b5cbc0 ecx: c03f5f54 edx: c03f4000 esi: f2b5cbc8 edi: c03f5f54 ebp: f8a4b3ec esp: c03f5f30 ds: 007b es: 007b ss: 0068 Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000) Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000 c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009 c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000 Call Trace: [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log] [<c012af49>] run_timer_softirq+0x10a/0x164 [<c0126932>] __do_softirq+0x60/0xba [<c01269bd>] do_softirq+0x31/0x35 [<c0104f6e>] do_IRQ+0x62/0x74 [<c01036cb>] common_interrupt+0x23/0x28 [<c0101018>] default_idle+0x0/0x3f [<c0101045>] default_idle+0x2d/0x3f [<c01010fa>] cpu_idle+0xa0/0xb9 [<c03fb7f5>] start_kernel+0x1a8/0x1ac [<c03fb293>] unknown_bootoption+0x0/0x181 ======================= Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8 08 9a 84 EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30 <0>Kernel panic - not syncing: Fatal exception in interrupt <0>Rebooting in 5 seconds.. Panic no more! Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nfnetlink_log: fix crash on bridged packetPatrick McHardy2007-03-241-1/+1
| | | | | | | | | | | physoutdev is only set on purely bridged packet, when nfnetlink_log is used in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a bridge it crashes when trying to dereference skb->nf_bridge->physoutdev. Reported by Holger Eitzenberger <heitzenberger@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ↵Patrick McHardy2007-03-241-0/+1
| | | | | | | | | | | | | | | | ESTABLISHED The individual fragments of a packet reassembled by conntrack have the conntrack reference from the reassembled packet attached, but nfctinfo is not copied. This leaves it initialized to 0, which unfortunately is the value of IP_CT_ESTABLISHED. The result is that all IPv6 fragments are tracked as ESTABLISHED, allowing them to bypass a usual ruleset which accepts ESTABLISHED packets early. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* Fix reference counting (memory leak) problem in __nfulnl_send() and callers ↵Michał Mirosław2007-03-241-3/+12
| | | | | | | | related to packet queueing. Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* NETFILTER: xt_connbytes: fix division by zeroPatrick McHardy2007-03-241-17/+12
| | | | | | | | | | | | | When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Based on patch from Jonas Berlin <xkr47@outerspace.dyndns.org>, with suggestions from KOVACS Krisztian <hidden@balabit.hu>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* NETFILTER: nf_conntrack_ipv6: fix crash when handling fragmentsPatrick McHardy2007-03-241-0/+2
| | | | | | | | | | | When IPv6 connection tracking splits up a defragmented packet into its original fragments, the packets are taken from a list and are passed to the network stack with skb->next still set. This causes dev_hard_start_xmit to treat them as GSO fragments, resulting in a use after free when connection tracking handles the next fragment. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* NETFILTER: ctnetlink: check for status attribute existence on conntrack creationPablo Neira Ayuso2007-03-242-6/+10
| | | | | | | | | | | | Check that status flags are available in the netlink message received to create a new conntrack. Fixes a crash in ctnetlink_create_conntrack when the CTA_STATUS attribute is not present. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* NETFILTER: Kconfig: fix xt_physdev dependenciesPatrick McHardy2007-03-241-1/+1
| | | | | | | | | xt_physdev depends on bridge netfilter, which is a boolean, but can still be built modular because of special handling in the bridge makefile. Add a dependency on BRIDGE to prevent XT_MATCH_PHYSDEV=y, BRIDGE=m. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [NET]: Copy mac_len in skb_clone() as wellAlexey Dobriyan2007-03-201-0/+1
| | | | | | | | | ANK says: "It is rarely used, that's wy it was not noticed. But in the places, where it is used, it should be disaster." Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: ipv6_fl_socklist is inadvertently shared.Masayuki Nakagawa2007-03-201-0/+1
| | | | | | | | | | | | | | The ipv6_fl_socklist from listening socket is inadvertently shared with new socket created for connection. This leads to a variety of interesting, but fatal, bugs. For example, removing one of the sockets may lead to the other socket's encountering a page fault when the now freed list is referenced. The fix is to not share the flow label list with the new socket. Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV4]: Do not disable preemption in trie_leaf_remove().Robert Olsson2007-03-201-2/+0
| | | | | | | | | | | | | | | | | | | | | Hello, Just discussed this Patrick... We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete both are holding RTNL. So there shouldn't be need for this preempt stuff. This is assumed to a leftover from an older RCU-take. > Mhh .. I think I just remembered something - me incorrectly suggesting > to add it there while we were talking about this at OLS :) IIRC the > idea was to make sure tnode_free (which at that time didn't use > call_rcu) wouldn't free memory while still in use in a rcu read-side > critical section. It should have been synchronize_rcu of course, > but with tnode_free using call_rcu it seems to be completely > unnecessary. So I guess we can simply remove it. Signed-off-by: Robert Olsson <robert.olsson@its.uu.se> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [XFRM]: Fix missing protocol comparison of larval SAs.Joy Latten2007-03-201-1/+2
| | | | | | | | | | | | | | | I noticed that in xfrm_state_add we look for the larval SA in a few places without checking for protocol match. So when using both AH and ESP, whichever one gets added first, deletes the larval SA. It seems AH always gets added first and ESP is always the larval SA's protocol since the xfrm->tmpl has it first. Thus causing the additional km_query() Adding the check eliminates accidental double SA creation. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6] fix ipv6_getsockopt_sticky copy_to_user leakChris Wright2007-03-111-1/+1
| | | | | | | | | User supplied len < 0 can cause leak of kernel memory. Use unsigned compare instead. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: Fix for ipv6_setsockopt NULL dereferenceOlaf Kirch2007-03-111-1/+1
| | | | | | | | I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). (CVE-2007-1000)David S. Miller2007-03-091-3/+7
| | | | | Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [TCP]: Fix minisock tcp_create_openreq_child() typo.Arnaldo Carvalho de Melo2007-03-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | On 2/28/07, KOVACS Krisztian <hidden@balabit.hu> wrote: > > Hi, > > While reading TCP minisock code I've found this suspiciously looking > code fragment: > > - 8< - > struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb) > { > struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC); > > if (newsk != NULL) { > const struct inet_request_sock *ireq = inet_rsk(req); > struct tcp_request_sock *treq = tcp_rsk(req); > struct inet_connection_sock *newicsk = inet_csk(sk); > struct tcp_sock *newtp; > - 8< - > > The above code initializes newicsk to inet_csk(sk), isn't that supposed > to be inet_csk(newsk)? As far as I can tell this might leave > icsk_ack.last_seg_size zero even if we do have received data. Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: /proc/net/anycast6 unbalanced inet6_dev refcntDavid Stevens2007-03-081-0/+1
| | | | | | | | | Reading /proc/net/anycast6 when there is no anycast address on an interface results in an ever-increasing inet6_dev reference count, as well as a reference to the netdevice you can't get rid of. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV6]: anycast refcnt fixMichal Wrobel2007-03-081-0/+2
| | | | | | | | | | | This patch fixes a bug in Linux IPv6 stack which caused anycast address to be added to a device prior DAD has been completed. This led to incorrect reference count which resulted in infinite wait for unregister_netdevice completion on interface removal. Signed-off-by: Michal Wrobel <xmxwx@asn.pl> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [UDP]: Reread uh pointer after pskb_trimHerbert Xu2007-03-081-0/+1
| | | | | | | | The header may have moved when trimming. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [DECNET]: Fix sfuzz hanging on 2.6.18Patrick McHardy2007-02-261-1/+3
| | | | | | | | | | | | | | | | | | | | | | | Dave Jones wrote: > sfuzz D 724EF62A 2828 28717 28691 (NOTLB) > cd69fe98 00000082 0000012d 724ef62a 0001971a 00000010 00000007 df6d22b0 > dfd81080 725bbc5e 0001971a 000cc634 00000001 df6d23bc c140e260 00000202 > de1d5ba0 cd69fea0 de1d5ba0 00000000 00000000 de1d5b60 de1d5b8c de1d5ba0 > Call Trace: > [<c05b1708>] lock_sock+0x75/0xa6 > [<e0b0b604>] dn_getname+0x18/0x5f [decnet] > [<c05b083b>] sys_getsockname+0x5c/0xb0 > [<c05b0b46>] sys_socketcall+0xef/0x261 > [<c0403f97>] syscall_call+0x7/0xb > DWARF2 unwinder stuck at syscall_call+0x7/0xb > > I wonder if the plethora of lockdep related changes inadvertantly broke something? Looks like unbalanced locking. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [TCP]: Prevent pseudo garbage in SYN's advertized windowIlpo Järvinen2007-02-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | TCP may advertize up to 16-bits window in SYN packets (no window scaling allowed). At the same time, TCP may have rcv_wnd (32-bits) that does not fit to 16-bits without window scaling resulting in pseudo garbage into advertized window from the low-order bits of rcv_wnd. This can happen at least when mss <= (1<<wscale) (see tcp_select_initial_window). This patch fixes the handling of SYN advertized windows (compile tested only). In worst case (which is unlikely to occur though), the receiver advertized window could be just couple of bytes. I'm not sure that such situation would be handled very well at all by the receiver!? Fortunately, the situation normalizes after the first non-SYN ACK is received because it has the correct, scaled window. Alternatively, tcp_select_initial_window could be changed to prevent too large rcv_wnd in the first place. [ tcp_make_synack() has the same bug, and I've added a fix for that to this patch -DaveM ] Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPV4/IPV6] multicast: Check add_grhead() return valueAlexey Dobriyan2007-02-262-0/+4
| | | | | | | | | | | | add_grhead() allocates memory with GFP_ATOMIC and in at least two places skb from it passed to skb_put() without checking. Adrian Bunk: backported to 2.6.16 Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [Bluetooth] Restrict well known PSM to privileged usersMarcel Holtmann2007-02-211-0/+6
| | | | | | | | | The PSM values below 0x1001 of L2CAP are reserved for well known services. Restrict the possibility to bind them to privileged users. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [Bluetooth] Missing endian swapping for L2CAP socket listMarcel Holtmann2007-02-211-2/+2
| | | | | | | | The PSM value in the L2CAP socket list must be converted to host order before printing it. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* Revert "[Bluetooth] Fix compat ioctl for BNEP, CMTP and HIDP"Adrian Bunk2007-02-143-161/+17
| | | | | | This reverts commit ac4d63dab8bb425f1ae037abf349090c12f16883. Does not work in 2.6.16.
* [TCP]: struct tcp_sack_block annotationsAl Viro2007-02-142-2/+2
| | | | | | | | | | | Some of the instances of tcp_sack_block are host-endian, some - net-endian. Define struct tcp_sack_block_wire identical to struct tcp_sack_block with u32 replaced with __be32; annotate uses of tcp_sack_block replacing net-endian ones with tcp_sack_block_wire. Change is obviously safe since for cc(1) __be32 is typedefed to u32. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [IPX]: Fix NULL pointer dereference on ipx unloadJiri Bohac2007-02-141-8/+16
| | | | | | | | | | | | Fixes a null pointer dereference when unloading the ipx module. On initialization of the ipx module, registering certain packet types can fail. When this happens, unloading the module later dereferences NULL pointers. This patch fixes that. Please apply. Signed-off-by: Jiri Bohac <jbohac@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>