aboutsummaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2006-02-06[PATCH] Fix extra dst release when ip_options_echo failsHerbert Xu
When two ip_route_output_key lookups in icmp_send were combined I forgot to change the error path for ip_options_echo to not drop the dst reference since it now sits before the dst lookup. To fix it we simply jump past the ip_rt_put call. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] fix /sys/class/net/<if>/wireless without dev->get_wireless_statsAndrey Borzenkov
dev->get_wireless_stats is deprecated but removing it also removes wireless subdirectory in sysfs. This patch puts it back. akpm: I don't know what's happening here. This might be appropriate as a 2.6.15.x compatibility backport. Waiting to hear from Jeff. Signed-off-by: Andrey Borzenkov <arvidjaar@mail.ru> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jeff Garzik <jgarzik@pobox.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)Martin Murray
Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause infinite loop in kernel, effectively DoSing machine. Noted by Martin Murray. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-14[PATCH] Don't match tcp/udp source/destination port for IP fragmentsBart De Schuymer
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] Fix another crash in ip_nat_pptp (CVE-2006-0037)Patrick McHardy
The PPTP NAT helper calculates the offset at which the packet needs to be mangled as difference between two pointers to the header. With non-linear skbs however the pointers may point to two seperate buffers on the stack and the calculation results in a wrong offset beeing used. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] Fix crash in ip_nat_pptp (CVE-2006-0036)Patrick McHardy
When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmentic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] netlink oops fix due to incorrect error codeKirill Korotaev
Fixed oops after failed netlink socket creation. Wrong parathenses in if() statement caused err to be 1, instead of negative value. Trivial fix, not trivial to find though. Signed-Off-By: Dmitry Mishin <dim@sw.ru> Signed-Off-By: Kirill Korotaev <dev@openvz.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2006-01-14[PATCH] BRIDGE: Fix faulty check in br_stp_recalculate_bridge_id()Stephen Hemminger
There is a regression in 2.6.15. One of the conversions from memcmp to compare_ether_addr is incorrect. We need to do relative comparison to determine min MAC address to use in bridge id. This will cause the wrong bridge id to be chosen which violates 802.1d Spanning Tree Protocol, and may create forwarding loops. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2005-12-27[IPV6] mcast: Fix multiple issues in MLDv2 reports.David L Stevens
The below "jumbo" patch fixes the following problems in MLDv2. 1) Add necessary "ntohs" to recent "pskb_may_pull" check [breaks all nonzero source queries on little-endian (!)] 2) Add locking to source filter list [resend of prior patch] 3) fix "mld_marksources()" to a) send nothing when all queried sources are excluded b) send full exclude report when source queried sources are not excluded c) don't schedule a timer when there's nothing to report NOTE: RFC 3810 specifies the source list should be saved and each source reported individually as an IS_IN. This is an obvious DOS path, requiring the host to store and then multicast as many sources as are queried (e.g., millions...). This alternative sends a full, relevant report that's limited to number of sources present on the machine. 4) fix "add_grec()" to send empty-source records when it should The original check doesn't account for a non-empty source list with all sources inactive; the new code keeps that short-circuit case, and also generates the group header with an empty list if needed. 5) fix mca_crcount decrement to be after add_grec(), which needs its original value These issues (other than item #1 ;-) ) were all found by Yan Zheng, much thanks! Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-27[NET]: Validate socket filters against BPF_MAXINSNS in one spot.David S. Miller
Currently the checks are scattered all over and this leads to inconsistencies and even cases where the check is not made. Based upon a patch from Kris Katterjohn. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-27[IPV6]: Fix addrconf dead lock.YOSHIFUJI Hideaki
We need to release idev->lcok before we call addrconf_dad_stop(). It calls ipv6_addr_del(), which will hold idev->lock. Bug spotted by Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-26[BR_NETFILTER]: Fix leak if skb traverses > 1 bridgeDavid Kimdon
Call nf_bridge_put() before allocating a new nf_bridge structure and potentially overwriting the pointer to a previously allocated one. This fixes a memory leak which can occur when the bridge topology allows for an skb to traverse more than one bridge. Signed-off-by: David Kimdon <david.kimdon@devicescape.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-26[IPV6]: Increase default MLD_MAX_MSF to 64.David L Stevens
The existing default of 10 is just way too low. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-23[IPV6]: Fix Temporary Address GenerationHiroyuki YAMAMORI
From: Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp> Since regen_count is stored in the public address, we need to reset it when we start renewing temporary address. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-23[IPV6]: Fix dead lock.YOSHIFUJI Hideaki
We need to relesae ifp->lock before we call addrconf_dad_stop(), which will hold ifp->lock. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-22Merge git://git.skbuff.net/gitroot/yoshfuji/linux-2.6.14+git+ipv6-fix-20051221aDavid S. Miller
2005-12-22[IPSEC]: Fix policy updates missed by socketsDavid S. Miller
The problem is that when new policies are inserted, sockets do not see the update (but all new route lookups do). This bug is related to the SA insertion stale route issue solved recently, and this policy visibility problem can be fixed in a similar way. The fix is to flush out the bundles of all policies deeper than the policy being inserted. Consider beginning state of "outgoing" direction policy list: policy A --> policy B --> policy C --> policy D First, realize that inserting a policy into a list only potentially changes IPSEC routes for that direction. Therefore we need not bother considering the policies for other directions. We need only consider the existing policies in the list we are doing the inserting. Consider new policy "B'", inserted after B. policy A --> policy B --> policy B' --> policy C --> policy D Two rules: 1) If policy A or policy B matched before the insertion, they appear before B' and thus would still match after inserting B' 2) Policy C and D, now "shadowed" and after policy B', potentially contain stale routes because policy B' might be selected instead of them. Therefore we only need flush routes assosciated with policies appearing after a newly inserted policy, if any. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-21[DCCP]: Comment typoIan McDonald
I hope to actually change this behaviour shortly but this will help anybody grepping code at present. Signed-off-by: Ian McDonald <imcdnzl@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-21[IPV6]: Fix address deletionKristian Slavov
If you add more than one IPv6 address belonging to the same prefix and delete the address that was last added, routing table entry for that prefix is also deleted. Tested on 2.6.14.4 To reproduce: ip addr add 3ffe::1/64 dev eth0 ip addr add 3ffe::2/64 dev eth0 /* wait DAD */ sleep 1 ip addr del 3ffe::2/64 dev eth0 ip -6 route (route to 3ffe::/64 should be gone) In ipv6_del_addr(), if ifa == ifp, we set ifa->if_next to NULL, and later assign ifap = &ifa->if_next, effectively terminating the for-loop. This prevents us from checking if there are other addresses using the same prefix that are valid, and thus resulting in deletion of the prefix. This applies only if the first entry in idev->addr_list is the address to be deleted. Signed-off-by: Kristian Slavov <kristian.slavov@nomadiclab.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-21[VLAN]: Add two missing checks to vlan_ioctl_handler()Mika Kukkonen
In vlan_ioctl_handler() the code misses couple checks for error return values. Signed-off-by: Mika Kukkonen <mikukkon@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-21[NETROM]: Fix three if-statements in nr_state1_machine()Mika Kukkonen
I found these while compiling with extra gcc warnings; considering the indenting surely they are not intentional? Signed-off-by: Mika Kukkonen <mikukkon@iki.fi> Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-21[IPV6]: Don't select a tentative address as a source address.YOSHIFUJI Hideaki
A tentative address is not considered "assigned to an interface" in the traditional sense (RFC2462 Section 4). Don't try to select such an address for the source address. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2005-12-21[IPV6]: Run DAD when the link becomes ready.YOSHIFUJI Hideaki
If the link was not available when the interface was created, run DAD for pending tentative addresses when the link becomes ready. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2005-12-21[IPV6]: Defer IPv6 device initialization until the link becomes ready.YOSHIFUJI Hideaki
NETDEV_UP might be sent even if the link attached to the interface was not ready. DAD does not make sense in such case, so we won't do so. After interface Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2005-12-21[IPV6]: Try not to send icmp to anycast address.YOSHIFUJI Hideaki
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2005-12-21[IPV6]: Flag RTF_ANYCAST for anycast routes.YOSHIFUJI Hideaki
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2005-12-19SUNRPC: Fix "EPIPE" error on mount of rpcsec_gss-protected partitionsTrond Myklebust
gss_create_upcall() should not error just because rpc.gssd closed the pipe on its end. Instead, it should requeue the pending requests and then retry. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2005-12-19RPC: Do not block on skb allocationTrond Myklebust
If we get something like the following, [ 125.300636] [<c04086e1>] schedule_timeout+0x54/0xa5 [ 125.305931] [<c040866e>] io_schedule_timeout+0x29/0x33 [ 125.311495] [<c02880c4>] blk_congestion_wait+0x70/0x85 [ 125.317058] [<c014136b>] throttle_vm_writeout+0x69/0x7d [ 125.322720] [<c014714d>] shrink_zone+0xe0/0xfa [ 125.327560] [<c01471d4>] shrink_caches+0x6d/0x6f [ 125.332581] [<c01472a6>] try_to_free_pages+0xd0/0x1b5 [ 125.338056] [<c013fa4b>] __alloc_pages+0x135/0x2e8 [ 125.343258] [<c03b74ad>] tcp_sendmsg+0xaa0/0xb78 [ 125.348281] [<c03d4666>] inet_sendmsg+0x48/0x53 [ 125.353212] [<c0388716>] sock_sendmsg+0xb8/0xd3 [ 125.358147] [<c0388773>] kernel_sendmsg+0x42/0x4f [ 125.363259] [<c038bc00>] sock_no_sendpage+0x5e/0x77 [ 125.368556] [<c03ee7af>] xs_tcp_send_request+0x2af/0x375 then the socket is blocked until memory is reclaimed, and no progress can ever be made. Try to access the emergency pools by using GFP_ATOMIC. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2005-12-19[SCTP]: Fix sctp to not return erroneous POLLOUT events.Neil Horman
Make sctp_writeable() use sk_wmem_alloc rather than sk_wmem_queued to determine the sndbuf space available. It also removes all the modifications to sk_wmem_queued as it is not currently used in SCTP. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[IPSEC]: Perform SA switchover immediately.David S. Miller
When we insert a new xfrm_state which potentially subsumes an existing one, make sure all cached bundles are flushed so that the new SA is used immediately. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[XFRM]: Handle DCCP in xfrm{4,6}_decode_sessionPatrick McHardy
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[IPV6]: Fix route lifetime.YOSHIFUJI Hideaki
The route expiration time is stored in rt6i_expires in jiffies. The argument of rt6_route_add() for adding a route is not the expiration time in jiffies nor in clock_t, but the lifetime (or time left before expiration) in clock_t. Because of the confusion, we sometimes saw several strange errors (FAILs) in TAHI IPv6 Ready Logo Phase-2 Self Test. The symptoms were analyzed by Mitsuru Chinen <CHINEN@jp.ibm.com>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[BRIDGE-NF]: Fix bridge-nf ipv6 length checkBart De Schuymer
A typo caused some bridged IPv6 packets to get dropped randomly, as reported by Sebastien Chaumontet. The patch below fixes this (using skb->nh.raw instead of raw) and also makes the jumbo packet length checking up-to-date with the code in net/ipv6/exthdrs.c::ipv6_hop_jumbo. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[NETFILTER]: Fix incorrect dependency for IP6_NF_TARGET_NFQUEUEPatrick McHardy
IP6_NF_TARGET_NFQUEUE depends on IP6_NF_IPTABLES, not IP_NF_IPTABLES. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-19[NETFILTER]: Fix NAT init orderPatrick McHardy
As noticed by Phil Oester, the GRE NAT protocol helper is initialized before the NAT core, which makes registration fail. Change the linking order to make NAT be initialized first. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-15[PATCH] Address of void __user * is void __user * *, not void * __user *Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-12-14[VLAN]: Fix hardware rx csum errorsStephen Hemminger
Receiving VLAN packets over a device (without VLAN assist) that is doing hardware checksumming (CHECKSUM_HW), causes errors because the VLAN code forgets to adjust the hardware checksum. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14[GRE]: Fix hardware checksum modificationHerbert Xu
The skb_postpull_rcsum introduced a bug to the checksum modification. Although the length pulled is offset bytes, the origin of the pulling is the GRE header, not the IP header. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13[PKT_SCHED]: Disable debug tracing logs by default in packet action API.David S. Miller
Noticed by Andi Kleen. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13[IPV6] addrconf: Do not print device pointer in privacy log message.David S. Miller
Noticed by Andi Kleen, it is pointless to emit the device structure pointer in the kernel logs like this. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-12[PATCH] ieee80211_crypt_tkip depends on NET_RADIOOlaf Hering
*** Warning: ".wireless_send_event" [net/ieee80211/ieee80211_crypt_tkip.ko] undefined! Signed-off-by: Olaf Hering <olh@suse.de> net/ieee80211/Kconfig | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
2005-12-12Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/nf-2.6Linus Torvalds
2005-12-12[NETFILTER]: ip_nat_tftp: Fix expectation NATMarcus Sundberg
When a TFTP client is SNATed so that the port is also changed, the port is never changed back for the expected connection. Signed-off-by: Marcus Sundberg <marcus@ingate.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-12[TCPv6]: Fix skb leakArnaldo Carvalho de Melo
Spotted by Francois Romieu, thanks! Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-08[IPv6] IPsec: fix pmtu calculation of espKazunori MIYAZAWA
It is a simple bug which uses the wrong member. This bug does not seriously affect ordinary use of IPsec. But it is important to pass IPv6 ready logo phase-2 conformance test of IPsec SGW. Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-08[NET]: Fix NULL pointer deref in checksum debugging.Stephen Hemminger
The problem I was seeing turned out to be that skb->dev is NULL when the checksum is being completed in user context. This happens because the reference to the device is dropped (to allow it to be released when packets are in the queue). Because skb->dev was NULL, the netdev_rx_csum_fault was panicing on deref of dev->name. How about this? Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-06[AF_PACKET]: Convert PACKET_MMAP over to vm_insert_page().David S. Miller
So we can properly use __GFP_COMP and avoid the use of PG_reserved pages. With extremely helpful review from Hugh Dickins. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-06[TCP] Vegas: timestamp before cloneDavid S. Miller
We have to store the congestion control timestamp on the SKB before we clone it, not after. Else we get no timestamping information at all. tcp_transmit_skb() has been reworked so that we can do the timestamp still in one spot, instead of at all the call sites. Problem discovered, and initial fix, from Tom Young <tyo@ee.unimelb.edu.au>. Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-06[TCP] Vegas: Remove extra call to tcp_vegas_rtt_calcThomas Young
Remove unneeded call to tcp_vegas_rtt_calc. The more accurate microsecond value has already been registered prior to calling tcp_vegas_cong_avoid. Signed-off-by: Thomas Young <tyo@ee.mu.oz.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-06[TCP] Vegas: stop resetting rtt every ackThomas Young
Move the resetting of rtt measurements to inside the once per RTT block of code. Signed-off-by: Thomas Young <tyo@ee.mu.oz.au> Signed-off-by: David S. Miller <davem@davemloft.net>