linux/net, branch v2.6.16.1

[PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated.

2006-03-28T06:47:30Z

The user can pass us arbitrary garbage so we should ensure the string they give us is null terminated before we pass it on to dev_get_by_index() et al. Found by Solar Designer. Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman

[PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)

2006-03-28T06:47:30Z

The problem is in ip_push_pending_frames(), which uses: if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { iph->id = htons(inet->id++); } instead of ip_select_ident(). Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman

[AX.25]: Fix potencial memory hole.

2006-03-19T21:20:06Z

If the AX.25 dialect chosen by the sysadmin is set to DAMA master / 3 (or DAMA slave / 2, if CONFIG_AX25_DAMA_SLAVE=n) ax25_kick() will fall through the switch statement without calling ax25_send_iframe() or any other function that would eventually free skbn thus leaking the packet. Fix by restricting the sysctl inferface to allow only actually supported AX.25 dialects. The system administration mistake needed for this to happen is rather unlikely, so this is an uncritical hole. Coverity #651. Signed-off-by: Ralf Baechle DL5RB Signed-off-by: David S. Miller

[PATCH] ieee80211: Fix QoS is not active problem

2006-03-15T21:16:07Z

Fix QoS is not active even the network and the card is QOS enabled. The problem is we pass the wrong ieee80211_network address to ipw_handle_beacon/ipw_handle_probe_response, thus the ieee80211_network->qos_data.active will not be set, causing the driver not sending QoS frames at all. Signed-off-by: Hong Liu Signed-off-by: Zhu Yi Signed-off-by: John W. Linville

[PATCH] ieee80211: Fix CCMP decryption problem when QoS is enabled

2006-03-15T21:11:55Z

Use the correct STYPE for Qos data. Signed-off-by: Zhu Yi Signed-off-by: John W. Linville

[PATCH] SUNRPC: Fix potential deadlock in RPC code

2006-03-14T15:57:18Z

In rpc_wake_up() and rpc_wake_up_status(), it is possible for the call to __rpc_wake_up_task() to fail if another thread happens to be calling rpc_wake_up_task() on the same rpc_task. Problem noticed by Bruno Faccini. Signed-off-by: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.c

2006-03-14T15:57:17Z

The Coverity checker spotted this possible NULL pointer dereference in rpc_new_client(). Signed-off-by: Adrian Bunk Signed-off-by: Trond Myklebust Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[TCP]: Fix zero port problem in IPv6

2006-03-13T22:26:12Z

When we link a socket into the hash table, we need to make sure that we set the num/port fields so that it shows us with a non-zero port value in proc/netlink and on the wire. This code and comment is copied over from the IPv4 stack as is. Signed-off-by: Herbert Xu

[NETFILTER]: arp_tables: fix NULL pointer dereference

2006-03-13T04:40:43Z

The check is wrong and lets NULL-ptrs slip through since !IS_ERR(NULL) is true. Coverity #190 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[IPV4/6]: Fix UFO error propagation

2006-03-13T04:39:40Z

When ufo_append_data fails err is uninitialized, but returned back. Strangely gcc doesn't notice it. Coverity #901 and #902 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller