linux/net, branch v2.6.20.13

[PATCH] NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

2007-06-07T21:23:05Z

When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj CC: Kiran Kumar Immidi Cc: David Miller Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright

Fix IRDA oops'er

2007-05-02T00:05:59Z

This fixes and OOPS due to incorrect socket orpahning in the IRDA stack. [IrDA]: Correctly handling socket error This patch fixes an oops first reported in mid 2006 - see http://lkml.org/lkml/2006/8/29/358 The cause of this bug report is that when an error is signalled on the socket, irda_recvmsg_stream returns without removing a local wait_queue variable from the socket's sk_sleep queue. This causes havoc further down the road. In response to this problem, a patch was made that invoked sock_orphan on the socket when receiving a disconnect indication. This is not a good fix, as this sets sk_sleep to NULL, causing applications sleeping in recvmsg (and other places) to oops. This is against the latest net-2.6 and should be considered for -stable inclusion. Signed-off-by: Olaf Kirch Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

Fix netpoll UDP input path

2007-05-02T00:05:58Z

Netpoll UDP input handler needs to pull up the UDP headers and handle receive checksum offloading properly just like the normal UDP input path does else we get corrupted checksums. [NET]: Fix UDP checksum issue in net poll mode. In net poll mode, the current checksum function doesn't consider the kind of packet which is padded to reach a specific minimum length. I believe that's the problem causing my test case failed. The following patch fixed this issue. Signed-off-by: Aubrey.Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

Fix errors in tcp_mem[] calculations.

2007-05-02T00:05:58Z

In 2.6.18 a change was made to the tcp_mem[] calculations, but this causes regressions for some folks up to 2.6.20 The following fix to smooth out the calculation from the pending 2.6.21 tree by John Heffner fixes the problem for these folks. [TCP]: Fix tcp_mem[] initialization. Change tcp_mem initialization function. The fraction of total memory is now a continuous function of memory size, and independent of page size. Signed-off-by: John Heffner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

knfsd: Use a spinlock to protect sk_info_authunix

2007-05-02T00:05:53Z

sk_info_authunix is not being protected properly so the object that it points to can be cache_put twice, leading to corruption. We borrow svsk->sk_defer_lock to provide the protection. We should probably rename that lock to have a more generic name - later. Thanks to Gabriel for reporting this. Cc: Greg Banks Cc: Gabriel Barazer Signed-off-by: Neil Brown Signed-off-by: Greg Kroah-Hartman

IPV6: Fix for RT0 header ipv6 change.

2007-04-27T21:26:22Z

[IPV6]: Fix thinko in ipv6_rthdr_rcv() changes. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

IPV4: Fix OOPS'er added to netlink fib.

2007-04-27T21:26:22Z

[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res) When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup() needs to initialize the res.r field before fib_res_put(&res) - unlike fib_lookup(), a direct call to ->tb_lookup does not set this field. Signed-off-by: Sergey Vlasov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

[PATCH] IPV6: Disallow RH0 by default.

2007-04-26T05:06:33Z

[IPV6]: Disallow RH0 by default. A security issue is emerging. Disallow Routing Header Type 0 by default as we have been doing for IPv4. Note: We allow RH2 by default because it is harmless. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

[PATCH] NETLINK: Infinite recursion in netlink.

2007-04-25T21:12:21Z

[NETLINK]: Infinite recursion in netlink. Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, which resulted in infinite recursion and stack overflow. The bug is present in all kernel versions since the feature appeared. The patch also makes some minimal cleanup: 1. Return something consistent (-ENOENT) when fib table is missing 2. Do not crash when queue is empty (does not happen, but yet) 3. Put result of lookup Signed-off-by: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman

softmac: avoid assert in ieee80211softmac_wx_get_rate

2007-04-13T20:47:17Z

[PATCH] softmac: avoid assert in ieee80211softmac_wx_get_rate Unconfigured bcm43xx device can hit an assert() during wx_get_rate queries. This is because bcm43xx calls ieee80211softmac_start late (i.e. during open instead of probe). bcm43xx_net_open -> bcm43xx_init_board -> bcm43xx_select_wireless_core -> ieee80211softmac_start Fix is to check that device is running before completing ieee80211softmac_wx_get_rate. Signed-off-by: John W. Linville Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman