aboutsummaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2006-05-02[NETFILTER] SCTP conntrack: fix infinite loopPatrick McHardy
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> CVE-2006-1527 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-01Merge branch 'audit.b10' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current * 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] Audit Filter Performance [PATCH] Rework of IPC auditing [PATCH] More user space subject labels [PATCH] Reworked patch for labels on user space messages [PATCH] change lspp ipc auditing [PATCH] audit inode patch [PATCH] support for context based audit filtering, part 2 [PATCH] support for context based audit filtering [PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit() [PATCH] drop task argument of audit_syscall_{entry,exit} [PATCH] drop gfp_mask in audit_log_exit() [PATCH] move call of audit_free() into do_exit() [PATCH] sockaddr patch [PATCH] deal with deadlocks in audit_free()
2006-05-01[NETFILTER] x_tables: fix compat related crash on non-x86Patrick McHardy
When iptables userspace adds an ipt_standard_target, it calculates the size of the entire entry as: sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target)) ipt_standard_target looks like this: struct xt_standard_target { struct xt_entry_target target; int verdict; }; xt_entry_target contains a pointer, so when compiled for 64 bit the structure gets an extra 4 byte of padding at the end. On 32 bit architectures where iptables aligns to 8 byte it will also have 4 byte padding at the end because it is only 36 bytes large. The compat_ipt_standard_fn in the kernel adjusts the offsets by sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target), which will always result in 4, even if the structure from userspace was already padded to a multiple of 8. On x86 this works out by accident because userspace only aligns to 4, on all other architectures this is broken and causes incorrect adjustments to the size and following offsets. Thanks to Linus for lots of debugging help and testing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-01[PATCH] Reworked patch for labels on user space messagesSteve Grubb
The below patch should be applied after the inode and ipc sid patches. This patch is a reworking of Tim's patch that has been updated to match the inode and ipc patches since its similar. [updated: > Stephen Smalley also wanted to change a variable from isec to tsec in the > user sid patch. ] Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-05-01[PATCH] sockaddr patchSteve Grubb
On Thursday 23 March 2006 09:08, John D. Ramsdell wrote: > I noticed that a socketcall(bind) and socketcall(connect) event contain a > record of type=SOCKADDR, but I cannot see one for a system call event > associated with socketcall(accept). Recording the sockaddr of an accepted > socket is important for cross platform information flow analys Thanks for pointing this out. The following patch should address this. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2006-04-29[IPV6]: Fix race in route selection.YOSHIFUJI Hideaki
We eliminated rt6_dflt_lock (to protect default router pointer) at 2.6.17-rc1, and introduced rt6_select() for general router selection. The function is called in the context of rt6_lock read-lock held, but this means, we have some race conditions when we do round-robin. Signed-off-by; YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[XFRM]: fix incorrect xfrm_policy_afinfo_lock useIngo Molnar
xfrm_policy_afinfo_lock can be taken in bh context, at: [<c013fe1a>] lockdep_acquire_read+0x54/0x6d [<c0f6e024>] _read_lock+0x15/0x22 [<c0e8fcdb>] xfrm_policy_get_afinfo+0x1a/0x3d [<c0e8fd10>] xfrm_decode_session+0x12/0x32 [<c0e66094>] ip_route_me_harder+0x1c9/0x25b [<c0e770d3>] ip_nat_local_fn+0x94/0xad [<c0e2bbc8>] nf_iterate+0x2e/0x7a [<c0e2bc50>] nf_hook_slow+0x3c/0x9e [<c0e3a342>] ip_push_pending_frames+0x2de/0x3a7 [<c0e53e19>] icmp_push_reply+0x136/0x141 [<c0e543fb>] icmp_reply+0x118/0x1a0 [<c0e54581>] icmp_echo+0x44/0x46 [<c0e53fad>] icmp_rcv+0x111/0x138 [<c0e36764>] ip_local_deliver+0x150/0x1f9 [<c0e36be2>] ip_rcv+0x3d5/0x413 [<c0df760f>] netif_receive_skb+0x337/0x356 [<c0df76c3>] process_backlog+0x95/0x110 [<c0df5fe2>] net_rx_action+0xa5/0x16d [<c012d8a7>] __do_softirq+0x6f/0xe6 [<c0105ec2>] do_softirq+0x52/0xb1 this means that all write-locking of xfrm_policy_afinfo_lock must be bh-safe. This patch fixes xfrm_policy_register_afinfo() and xfrm_policy_unregister_afinfo(). Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[XFRM]: fix incorrect xfrm_state_afinfo_lock useIngo Molnar
xfrm_state_afinfo_lock can be read-locked from bh context, so take it in a bh-safe manner in xfrm_state_register_afinfo() and xfrm_state_unregister_afinfo(). Found by the lock validator. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[TCP]: Fix unlikely usage in tcp_transmit_skb()Hua Zhong
The following unlikely should be replaced by likely because the condition happens every time unless there is a hard error to transmit a packet. Signed-off-by: Hua Zhong <hzhong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[XFRM]: fix softirq-unsafe xfrm typemap->lock useIngo Molnar
xfrm typemap->lock may be used in softirq context, so all write_lock() uses must be softirq-safe. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[IPSEC]: Fix IP ID selectionHerbert Xu
I was looking through the xfrm input/output code in order to abstract out the address family specific encapsulation/decapsulation code. During that process I found this bug in the IP ID selection code in xfrm4_output.c. At that point dst is still the xfrm_dst for the current SA which represents an internal flow as far as the IPsec tunnel is concerned. Since the IP ID is going to sit on the outside of the encapsulated packet, we obviously want the external flow which is just dst->child. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[IPV4]: inet_init() -> fs_initcallHeiko Carstens
Convert inet_init to an fs_initcall to make sure its called before any device driver's initcall. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[NETLINK]: cleanup unused macro in net/netlink/af_netlink.cSoyoung Park
1 line removal, of unused macro. ran 'egrep -r' from linux-2.6.16/ for Nprintk and didn't see it anywhere else but here, in #define... Signed-off-by: Soyoung Park <speattle@yahoo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[PKT_SCHED] netem: fix lossStephen Hemminger
The following one line fix is needed to make loss function of netem work right when doing loss on the local host. Otherwise, higher layers just recover. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[X25]: fix for spinlock recurse and spinlock lockup with timer handlerShaun Pereira
When the sk_timer function x25_heartbeat_expiry() is called by the kernel in a running/terminating process, spinlock-recursion and spinlock-lockup locks up the kernel. This has happened with testing on some distro's and the patch below fixed it. Signed-off-by: Shaun Pereira <spereira@tusc.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-26Merge branch 'upstream-linus' of ↵Linus Torvalds
master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: [PATCH] forcedeth: fix initialization [PATCH] sky2: version 1.2 [PATCH] sky2: reset function can be devinit [PATCH] sky2: use ALIGN() macro [PATCH] sky2: add fake idle irq timer [PATCH] sky2: reschedule if irq still pending [PATCH] bcm43xx: make PIO mode usable [PATCH] bcm43xx: add to MAINTAINERS [PATCH] softmac: fix SIOCSIWAP [PATCH] Fix crash on big-endian systems during scan e1000: Update truesize with the length of the packet for packet split [PATCH] Fix locking in gianfar
2006-04-26Merge branch 'upstream-fixes' of ↵Jeff Garzik
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes
2006-04-26[BRIDGE]: allow full size vlan packetsStephen Hemminger
Need to allow for VLAN header when bridging. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: ipt action: use xt_check_target for basic verificationPatrick McHardy
The targets don't do the basic verification themselves anymore so the ipt action needs to take care of it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: x_tables: move table->lock initializationDmitry Mishin
xt_table->lock should be initialized before xt_replace_table() call, which uses it. This patch removes strict requirement that table should define lock before registering. Signed-off-by: Dmitry Mishin <dim@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: ip6_tables: remove broken comefrom debuggingPatrick McHardy
The introduction of x_tables broke comefrom debugging, remove it from ip6_tables as well (ip_tables already got removed). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: nf_conntrack: kill unused callback init_conntrackYasuyuki Kozakai
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: ULOG target is not obsoleteThomas Voegtle
The backend part is obsoleted, but the target itself is still needed. Signed-off-by: Thomas Voegtle <tv@lio96.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[NETFILTER]: nf_conntrack: Fix module refcount dropping too farYasuyuki Kozakai
If nf_ct_l3proto_find_get() fails to get the refcount of nf_ct_l3proto_generic, nf_ct_l3proto_put() will drop the refcount too far. This gets rid of '.me = THIS_MODULE' of nf_ct_l3proto_generic so that nf_ct_l3proto_find_get() doesn't try to get refcount of it. It's OK because its symbol is usable until nf_conntrack.ko is unloaded. This also kills unnecessary NULL pointer check as well. __nf_ct_proto_find() allways returns non-NULL pointer. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-24[PATCH] softmac: fix SIOCSIWAPJohannes Berg
There are some bugs in the current implementation of the SIOCSIWAP wext, for example that when you do it twice and it fails, it may still try another access point for some reason. This patch fixes this by introducing a new flag that tells the association code that the bssid that is in use was fixed by the user and shouldn't be deviated from. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-20Merge branch 'upstream-linus' of ↵Linus Torvalds
master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: (21 commits) [PATCH] wext: Fix RtNetlink ENCODE security permissions [PATCH] bcm43xx: iw_priv_args names should be <16 characters [PATCH] bcm43xx: sysfs code cleanup [PATCH] bcm43xx: fix pctl slowclock limit calculation [PATCH] bcm43xx: fix dyn tssi2dbm memleak [PATCH] bcm43xx: fix config menu alignment [PATCH] bcm43xx wireless: fix printk format warnings [PATCH] softmac: report when scanning has finished [PATCH] softmac: fix event sending [PATCH] softmac: handle iw_mode properly [PATCH] softmac: dont send out packets while scanning [PATCH] softmac: return -EAGAIN from getscan while scanning [PATCH] bcm43xx: set trans_start on TX to prevent bogus timeouts [PATCH] orinoco: fix truncating commsquality RID with the latest Symbol firmware [PATCH] softmac: fix spinlock recursion on reassoc [PATCH] Revert NET_RADIO Kconfig title change [PATCH] wext: Fix IWENCODEEXT security permissions [PATCH] wireless/atmel: send WEXT scan completion events [PATCH] wireless/airo: clean up WEXT association and scan events [PATCH] softmac uses Wiress Ext. ...
2006-04-20Merge branch 'upstream-fixes' of ↵Jeff Garzik
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2006-04-20[EBTABLES]: Clean up vmalloc usage in net/bridge/netfilter/ebtables.cJayachandran C
Make all the vmalloc calls in net/bridge/netfilter/ebtables.c follow the standard convention. Remove unnecessary casts, and use '*object' instead of 'type'. Signed-off-by: Jayachandran C. <c.jayachandran@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-20[NET]: Add skb->truesize assertion checking.David S. Miller
Add some sanity checking. truesize should be at least sizeof(struct sk_buff) plus the current packet length. If not, then truesize is seriously mangled and deserves a kernel log message. Currently we'll do the check for release of stream socket buffers. But we can add checks to more spots over time. Incorporating ideas from Herbert Xu. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-19[TCP]: Account skb overhead in tcp_fragmentHerbert Xu
Make sure that we get the full sizeof(struct sk_buff) plus the data size accounted for in skb->truesize. This will create invariants that will allow adding assertion checks on skb->truesize. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-19[LLC]: Use pskb_trim_rcsum() in llc_fixup_skb().David S. Miller
Kernel Bugzilla #6409 If we use plain skb_trim(), that's wrong, because if the SKB is cloned, and it can be because we unshared it in the caller, we have to allow reallocation. The pskb_trim*() family of routines is therefore the most appropriate here. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-19[NET]: sockfd_lookup_light() returns random error for -EBADFDHua Zhong
This applies to 2.6.17-rc2. There is a missing initialization of err in sockfd_lookup_light() that could return random error for an invalid file handle. Signed-off-by: Hua Zhong <hzhong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-19[PATCH] wext: Fix RtNetlink ENCODE security permissionsJean Tourrilhes
I've just realised that the RtNetlink code does not check the permission for SIOCGIWENCODE and SIOCGIWENCODEEXT, which means that any user can read the encryption keys. The fix is trivial and should go in 2.6.17 alonside the two other patch I sent you last week. Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: report when scanning has finishedJohannes Berg
Make softmac report a scan event when scanning has finished, that way userspace can wait for the event to happen instead of polling for the results. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: fix event sendingJohannes Berg
Softmac is sending custom events to userspace already, but it should _really_ be sending the right WEXT events instead. This patch fixes that. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: handle iw_mode properlyjohannes@sipsolutions.net
Below patch allows using iw_mode auto with softmac. bcm43xx forces managed so this bug wasn't noticed earlier, but this was one of the problems why zd1211 didn't work earlier. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: dont send out packets while scanningjohannes@sipsolutions.net
Seems we forgot to stop the queue while scanning. Better do that so we don't transmit packets all the time during background scanning. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: return -EAGAIN from getscan while scanningjohannes@sipsolutions.net
Below patch was developed after discussion with Daniel Drake who mentioned to me that wireless tools expect an EAGAIN return from getscan so that they can wait for the scan to finish before printing out the results. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac: fix spinlock recursion on reassocMichael Buesch
This fixes a spinlock recursion on receiving a reassoc request. On reassoc, the softmac calls back into the driver. This results in a driver lock recursion. This schedules the assoc workqueue, instead of calling it directly. Probably, we should defer the _whole_ management frame processing to a tasklet or workqueue, because it does several callbacks into the driver. That is dangerous. This fix should go into linus's tree, before 2.6.17 is released, because it is remote exploitable (DoS by crash). Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] wext: Fix IWENCODEEXT security permissionsJean Tourrilhes
Check the permissions when user-space try to read the encryption parameters via SIOCGIWENCODEEXT. This is trivial and probably should go in 2.6.17... Bug was found by Brian Eaton <eaton.lists@gmail.com>, thanks ! Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19[PATCH] softmac uses Wiress Ext.Randy Dunlap
softmac uses wireless extensions, so let it SELECT that config option; WARNING: "wireless_send_event" [net/ieee80211/softmac/ieee80211softmac.ko] undefined! Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2006-04-19SUNRPC: Dead code in net/sunrpc/auth_gss/auth_gss.cEric Sesterhenn
Hi, the coverity checker spotted that cred is always NULL when we jump to out_err ( there is just one case, when we fail to allocate the memory for cred ) This is Coverity ID #79 Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2006-04-19NFS: make 2 functions staticAdrian Bunk
Signed-off-by: Adrian Bunk <bunk@stusta.de> Cc: Trond Myklebust <trond.myklebust@fys.uio.no> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2006-04-19RPCSEC_GSS: fix leak in krb5 code caused by superfluous kmallocJ. Bruce Fields
I was sloppy when generating a previous patch; I modified the callers of krb5_make_checksum() to allocate memory for the buffer where the result is returned, then forgot to modify krb5_make_checksum to stop allocating that memory itself. The result is a per-packet memory leak. This fixes the problem by removing the now-superfluous kmalloc(). Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2006-04-18[NET]: Remove redundant NULL checks before [kv]freeJesper Juhl
Redundant NULL check before kfree removal from net/ Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-18unaligned access in sk_run_filter()Dmitry Mishin
This patch fixes unaligned access warnings noticed on IA64 in sk_run_filter(). 'ptr' can be unaligned. Signed-off-By: Dmitry Mishin <dim@openvz.org> Signed-off-By: Kirill Korotaev <dev@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-18[IPV6]: Clean up hop-by-hop options handler.YOSHIFUJI Hideaki
- Removed unused argument (nhoff) for ipv6_parse_hopopts(). - Make ipv6_parse_hopopts() to align with other extension header handlers. - Removed pointless assignment (hdr), which is not used afterwards. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-18[IPV6] XFRM: Fix decoding session with preceding extension header(s).YOSHIFUJI Hideaki
We did not correctly decode session with preceding extension header(s). This was because we had already pulled preceding headers, skb->nh.raw + 40 + 1 - skb->data was minus, and pskb_may_pull() failed. We now have IP6CB(skb)->nhoff and skb->h.raw, and we can start parsing / decoding upper layer protocol from current position. Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> and tested by Kazunori Miyazawa <kazunori@miyazawa.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-18[IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull().YOSHIFUJI Hideaki
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-18[IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.YOSHIFUJI Hideaki
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>