linux/include/net, branch v2.6.16.43

[Bluetooth] Handle command complete event for exit periodic inquiry

2007-01-26T19:49:22Z

The command complete event of the exit periodic inquiry command must clear the HCI_INQUIRY flag and finish the HCI request. Signed-off-by: Marcel Holtmann Signed-off-by: Adrian Bunk

[IPX]: Annotate and fix IPX checksum

2006-11-24T02:03:34Z

Calculation of IPX checksum got buggered about 2.4.0. The old variant mangled the packet; that got fixed, but calculation itself got buggered. Restored the correct logics, fixed a subtle breakage we used to have even back then: if the sum is 0 mod 0xffff, we want to return 0, not 0xffff. The latter has special meaning for IPX (cheksum disabled). Observation (and obvious fix) nicked from history of FreeBSD ipx_cksum.c... Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk

SCTP: Reject sctp packets with broadcast addresses.

2006-08-26T00:39:03Z

Make SCTP handle broadcast properly Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk

Fix sctp privilege elevation (CVE-2006-3745)

2006-08-23T16:01:55Z

sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala Acked-by: David Miller Signed-off-by: Adrian Bunk

[PATCH] SCTP: Respect the real chunk length when walking parameters (CVE-2006-1858)

2006-05-20T22:00:34Z

When performing bound checks during the parameter processing, we want to use the real chunk and paramter lengths for bounds instead of the rounded ones. This prevents us from potentially walking of the end if the chunk length was miscalculated. We still use rounded lengths when advancing the pointer. This was found during a conformance test that changed the chunk length without modifying parameters. (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem is parameter dependent). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: Chris Wright

[PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (CVE-2006-2275)

2006-05-09T19:53:21Z

This patch fixes a deadlock situation in the receive path by allowing temporary spillover of the receive buffer. - If the chunk we receive has a tsn that immediately follows the ctsn, accept it even if we run out of receive buffer space and renege data with higher TSNs. - Once we accept one chunk in a packet, accept all the remaining chunks even if we run out of receive buffer space. Signed-off-by: Neil Horman Acked-by: Mark Butler Acked-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Chris Wright

[PATCH] NETFILTER: Fix fragmentation issues with bridge netfilter

2006-04-17T20:16:04Z

[NETFILTER]: Fix fragmentation issues with bridge netfilter The conntrack code doesn't do re-fragmentation of defragmented packets anymore but relies on fragmentation in the IP layer. Purely bridged packets don't pass through the IP layer, so the bridge netfilter code needs to take care of fragmentation itself. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman

[AX.25]: Fix potencial memory hole.

2006-03-19T21:20:06Z

If the AX.25 dialect chosen by the sysadmin is set to DAMA master / 3 (or DAMA slave / 2, if CONFIG_AX25_DAMA_SLAVE=n) ax25_kick() will fall through the switch statement without calling ax25_send_iframe() or any other function that would eventually free skbn thus leaking the packet. Fix by restricting the sysctl inferface to allow only actually supported AX.25 dialects. The system administration mistake needed for this to happen is rather unlikely, so this is an uncritical hole. Coverity #651. Signed-off-by: Ralf Baechle DL5RB Signed-off-by: David S. Miller

[NET]: Fix race condition in sk_wait_event().

2006-03-18T00:05:43Z

It is broken, the condition is checked out of socket lock. It is wonderful the bug survived for so long time. [ This fixes bugzilla #6233: race condition in tcp_sendmsg when connection became established ] Signed-off-by: David S. Miller

[IPSEC]: Kill post_input hook and do NAT-T in esp_input directly

2006-02-27T21:00:40Z

The only reason post_input exists at all is that it gives us the potential to adjust the checksums incrementally in future which we ought to do. However, after thinking about it for a bit we can adjust the checksums without using this post_input stuff at all. The crucial point is that only the inner-most NAT-T SA needs to be considered when adjusting checksums. What's more, the checksum adjustment comes down to a single u32 due to the linearity of IP checksums. We just happen to have a spare u32 lying around in our skb structure :) When ip_summed is set to CHECKSUM_NONE on input, the value of skb->csum is currently unused. All we have to do is to make that the checksum adjustment and voila, there goes all the post_input and decap structures! I've left in the decap data structures for now since it's intricately woven into the sec_path stuff. We can kill them later too. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller