From 2db3e47e7080fde2a43d6312190d8229826b8e42 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Thu, 24 Apr 2008 20:38:31 -0700 Subject: af_key: Fix af_key.c compiler warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit net/key/af_key.c: In function ‘pfkey_spddelete’: net/key/af_key.c:2359: warning: ‘pol_ctx’ may be used uninitialized in this function When CONFIG_SECURITY_NETWORK_XFRM isn't set, security_xfrm_policy_alloc() is an inline that doesn't set pol_ctx, so this seemed like the easiest fix short of using *uninitialized_var(pol_ctx). Signed-off-by: Brian Haley Signed-off-by: David S. Miller --- net/key/af_key.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/key/af_key.c b/net/key/af_key.c index 81a8e5297ad..2403a31fe0f 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -2356,7 +2356,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg struct xfrm_selector sel; struct km_event c; struct sadb_x_sec_ctx *sec_ctx; - struct xfrm_sec_ctx *pol_ctx; + struct xfrm_sec_ctx *pol_ctx = NULL; if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1], ext_hdrs[SADB_EXT_ADDRESS_DST-1]) || @@ -2396,8 +2396,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg kfree(uctx); if (err) return err; - } else - pol_ctx = NULL; + } xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir - 1, &sel, pol_ctx, -- cgit v1.2.3 From c5835df9716bdb1af8e25e9a452f717e54e02ed0 Mon Sep 17 00:00:00 2001 From: Mandeep Singh Baines Date: Thu, 24 Apr 2008 20:55:56 -0700 Subject: ethtool: EEPROM dump no longer works for tg3 and natsemi In the ethtool user-space application, tg3 and natsemi over-ride the default implementation of dump_eeprom(). In both tg3_dump_eeprom() and natsemi_dump_eeprom(), there is a magic number check which is not present in the default implementation. Commit b131dd5d ("[ETHTOOL]: Add support for large eeproms") snipped the code which copied the ethtool_eeprom structure back to user-space. tg3 and natsemi are over-writing the magic number field and then checking it in user-space. With the ethtool_eeprom copy removed, the check is failing. The fix is simple. Add the ethtool_eeprom copy back. Signed-off-by: Mandeep Singh Baines Signed-off-by: David S. Miller --- net/core/ethtool.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'net') diff --git a/net/core/ethtool.c b/net/core/ethtool.c index a29b43d0b45..0133b5ebd54 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -323,6 +323,11 @@ static int ethtool_get_eeprom(struct net_device *dev, void __user *useraddr) bytes_remaining -= eeprom.len; } + eeprom.len = userbuf - (useraddr + sizeof(eeprom)); + eeprom.offset -= eeprom.len; + if (copy_to_user(useraddr, &eeprom, sizeof(eeprom))) + ret = -EFAULT; + kfree(data); return ret; } -- cgit v1.2.3 From 8d390efd903485923419584275fd0c2aa4c94183 Mon Sep 17 00:00:00 2001 From: Tom Quetchenbach Date: Thu, 24 Apr 2008 21:11:58 -0700 Subject: tcp: tcp_probe buffer overflow and incorrect return value tcp_probe has a bounds-checking bug that causes many programs (less, python) to crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it only checks if that line alone will fit in the reader's buffer, rather than that line and all the previous lines it has already written. tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes on the return value of copy_to_user (number of bytes not copied), which makes a failure look like a success. This patch fixes the buffer overflow and sets the return value to -EFAULT if copy_to_user fails. Patch is against latest net-2.6; tested briefly and seems to fix the crashes in less and python. Signed-off-by: Tom Quetchenbach Signed-off-by: David S. Miller --- net/ipv4/tcp_probe.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'net') diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c index 1c509592574..5ff0ce6e9d3 100644 --- a/net/ipv4/tcp_probe.c +++ b/net/ipv4/tcp_probe.c @@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf, width = tcpprobe_sprint(tbuf, sizeof(tbuf)); - if (width < len) + if (cnt + width < len) tcp_probe.tail = (tcp_probe.tail + 1) % bufsize; spin_unlock_bh(&tcp_probe.lock); /* if record greater than space available return partial buffer (so far) */ - if (width >= len) + if (cnt + width >= len) break; - error = copy_to_user(buf + cnt, tbuf, width); - if (error) - break; + if (copy_to_user(buf + cnt, tbuf, width)) + return -EFAULT; cnt += width; } -- cgit v1.2.3 From 1a98d05f59704d60be85b03f727964e15c77224c Mon Sep 17 00:00:00 2001 From: YOSHIFUJI Hideaki Date: Thu, 24 Apr 2008 21:30:38 -0700 Subject: ipv6 RAW: Disallow IPPROTO_IPV6-level IPV6_CHECKSUM socket option on ICMPv6 sockets. RFC3542 tells that IPV6_CHECKSUM socket option in the IPPROTO_IPV6 level is not allowed on ICMPv6 sockets. IPPROTO_RAW level IPV6_CHECKSUM socket option (a Linux extension) is still allowed. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv6/raw.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'net') diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 6193b124cbc..396f0ea1109 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -971,6 +971,19 @@ static int do_rawv6_setsockopt(struct sock *sk, int level, int optname, switch (optname) { case IPV6_CHECKSUM: + if (inet_sk(sk)->num == IPPROTO_ICMPV6 && + level == IPPROTO_IPV6) { + /* + * RFC3542 tells that IPV6_CHECKSUM socket + * option in the IPPROTO_IPV6 level is not + * allowed on ICMPv6 sockets. + * If you want to set it, use IPPROTO_RAW + * level IPV6_CHECKSUM socket option + * (Linux extension). + */ + return -EINVAL; + } + /* You may get strange result with a positive odd offset; RFC2292bis agrees with me. */ if (val > 0 && (val&1)) @@ -1046,6 +1059,11 @@ static int do_rawv6_getsockopt(struct sock *sk, int level, int optname, switch (optname) { case IPV6_CHECKSUM: + /* + * We allow getsockopt() for IPPROTO_IPV6-level + * IPV6_CHECKSUM socket option on ICMPv6 sockets + * since RFC3542 is silent about it. + */ if (rp->checksum == 0) val = -1; else -- cgit v1.2.3 From 5b3f129c5592ca35b3fe8916767c58b98710478c Mon Sep 17 00:00:00 2001 From: Michael Beasley Date: Thu, 24 Apr 2008 23:50:30 -0700 Subject: ipv6: Fix typo in net/ipv6/Kconfig Two is used in the wrong context here, as you are connecting to an IPv6 network over IPv4; not connecting two IPv6 networks to an IPv4 one. Signed-off-by: Michael Beasley Signed-off-by: David S. Miller --- net/ipv6/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 42814a2ec9d..b2c9becc02e 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -167,7 +167,7 @@ config IPV6_SIT Tunneling means encapsulating data of one protocol type within another protocol and sending it over a channel that understands the encapsulating protocol. This driver implements encapsulation of IPv6 - into IPv4 packets. This is useful if you want to connect two IPv6 + into IPv4 packets. This is useful if you want to connect to IPv6 networks over an IPv4-only path. Saying M here will produce a module called sit.ko. If unsure, say Y. -- cgit v1.2.3 From 653252c2302cdf2dfbca66a7e177f7db783f9efa Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 25 Apr 2008 01:49:48 -0700 Subject: net: Fix wrong interpretation of some copy_to_user() results. I found some places, that erroneously return the value obtained from the copy_to_user() call: if some amount of bytes were not able to get to the user (this is what this one returns) the proper behavior is to return the -EFAULT error, not that number itself. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- net/can/raw.c | 3 ++- net/dccp/probe.c | 2 +- net/tipc/socket.c | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'net') diff --git a/net/can/raw.c b/net/can/raw.c index ead50c7c0d4..201cbfc6b9e 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket *sock, int level, int optname, int fsize = ro->count * sizeof(struct can_filter); if (len > fsize) len = fsize; - err = copy_to_user(optval, ro->filter, len); + if (copy_to_user(optval, ro->filter, len)) + err = -EFAULT; } else len = 0; release_sock(sk); diff --git a/net/dccp/probe.c b/net/dccp/probe.c index 6e1df62bd7c..0bcdc925027 100644 --- a/net/dccp/probe.c +++ b/net/dccp/probe.c @@ -140,7 +140,7 @@ static ssize_t dccpprobe_read(struct file *file, char __user *buf, goto out_free; cnt = kfifo_get(dccpw.fifo, tbuf, len); - error = copy_to_user(buf, tbuf, cnt); + error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0; out_free: vfree(tbuf); diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 05853159536..230f9ca2ad6 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1756,8 +1756,8 @@ static int getsockopt(struct socket *sock, else if (len < sizeof(value)) { res = -EINVAL; } - else if ((res = copy_to_user(ov, &value, sizeof(value)))) { - /* couldn't return value */ + else if (copy_to_user(ov, &value, sizeof(value))) { + res = -EFAULT; } else { res = put_user(sizeof(value), ol); -- cgit v1.2.3