linux/net/dccp, branch v3.4.18 Linux kernel source tree https://git.amat.us/linux/atom/net/dccp?h=v3.4.18 2012-10-02T17:29:37Z dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO) 2012-10-02T17:29:37Z Mathias Krause minipli@googlemail.com 2012-08-15T11:31:55Z urn:sha1:59039dc90bb7879bd4c8c959109d27131f0ce40f [ Upstream commit 7b07f8eb75aa3097cdfd4f6eac3da49db787381d ] The CCID3 code fails to initialize the trailing padding bytes of struct tfrc_tx_info added for alignment on 64 bit architectures. It that for potentially leaks four bytes kernel stack via the getsockopt() syscall. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> dccp: check ccid before dereferencing 2012-09-14T17:00:34Z Mathias Krause minipli@googlemail.com 2012-08-15T11:31:54Z urn:sha1:af843972724e172827266e91ba326c069c8c088c commit 276bdb82dedb290511467a5a4fdbe9f0b52dce6f upstream. ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with a NULL ccid pointer leading to a NULL pointer dereference. This could lead to a privilege escalation if the attacker is able to map page 0 and prepare it with a fake ccid_ops pointer. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> dccp: fix bug in sequence number validation during connection setup 2012-03-03T16:02:52Z Samuel Jero sj323707@ohio.edu 2012-02-27T01:22:02Z urn:sha1:f541fb7e20c848f947ca65fbf169efe69400c942 This fixes a bug in the sequence number validation during the initial handshake. The code did not treat the initial sequence numbers ISS and ISR as read-only and did not keep state for GSR and GSS as required by the specification. This causes problems with retransmissions during the initial handshake, causing the budding connection to be reset. This patch now treats ISS/ISR as read-only and tracks GSS/GSR as required. Signed-off-by: Samuel Jero <sj323707@ohio.edu> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> dccp ccid-3: replace incorrect BUG_ON 2012-03-03T16:02:36Z Gerrit Renker gerrit@erg.abdn.ac.uk 2012-02-27T19:29:44Z urn:sha1:793734b587a670e47a8d65f9e5211ba2188bb904 This replaces an unjustified BUG_ON(), which could get triggered under normal conditions: X_calc can be 0 when p > 0. X would in this case be set to the minimum, s/t_mbi. Its replacement avoids t_ipi = 0 (unbounded sending rate). Thanks to Jordi, Victor and Xavier who reported this. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Ian McDonald <ian.mcdonald@jandi.co.uk> inet_diag: Rename inet_diag_req into inet_diag_req_v2 2012-01-11T20:56:06Z Pavel Emelyanov xemul@parallels.com 2012-01-10T22:36:35Z urn:sha1:c8991362a0d3cf317dfbfb6cb946607870654e6d Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net> module_param: make bool parameters really bool (net & drivers/net) 2011-12-20T03:27:29Z Rusty Russell rusty@rustcorp.com.au 2011-12-19T14:08:01Z urn:sha1:eb93992207dadb946a3b5cf4544957dc924a6f58 module_param(bool) used to counter-intuitively take an int. In fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy trick. It's time to remove the int/unsigned int option. For this version it'll simply give a warning, but it'll break next kernel version. (Thanks to Joe Perches for suggesting coccinelle for 0/1 -> true/false). Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net> net: fix assignment of 0/1 to bool variables. 2011-12-20T03:27:29Z Rusty Russell rusty@rustcorp.com.au 2011-12-19T13:56:45Z urn:sha1:3db1cd5c05f35fb43eb134df6f321de4e63141f2 DaveM said: Please, this kind of stuff rots forever and not using bool properly drives me crazy. Joe Perches <joe@perches.com> gave me the spatch script: @@ bool b; @@ -b = 0 +b = false @@ bool b; @@ -b = 1 +b = true I merely installed coccinelle, read the documentation and took credit. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net> sock_diag: Fix module netlink aliases 2011-12-16T18:48:27Z Pavel Emelyanov xemul@parallels.com 2011-12-15T02:43:27Z urn:sha1:aec8dc62f66199aef153d86e1f90d9c1d14696e3 I've made a mistake when fixing the sock_/inet_diag aliases :( 1. The sock_diag layer should request the family-based alias, not just the IPPROTO_IP one; 2. The inet_diag layer should request for AF_INET+protocol alias, not just the protocol one. Thus fix this. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: use IS_ENABLED(CONFIG_IPV6) 2011-12-11T23:25:16Z Eric Dumazet eric.dumazet@gmail.com 2011-12-10T09:48:31Z urn:sha1:dfd56b8b38fff3586f36232db58e1e9f7885a605 Instead of testing defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> inet_diag: Generalize inet_diag dump and get_exact calls 2011-12-09T19:14:08Z Pavel Emelyanov xemul@parallels.com 2011-12-09T06:23:18Z urn:sha1:1942c518ca017f376b267a7c5e78c15d37202442 Introduce two callbacks in inet_diag_handler -- one for dumping all sockets (with filters) and the other one for dumping a single sk. Replace direct calls to icsk handlers with indirect calls to callbacks provided by handlers. Make existing TCP and DCCP handlers use provided helpers for icsk-s. The UDP diag module will provide its own. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net>