Merge branch 'master' of ../netdev/

13 files changed, 39 insertions, 37 deletions

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index ba6f73eb06c6..a9aff9c7d027 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -4,7 +4,7 @@
 
 menuconfig BRIDGE_NF_EBTABLES
         tristate "Ethernet Bridge tables (ebtables) support"
-        depends on BRIDGE && BRIDGE_NETFILTER
+        depends on BRIDGE && NETFILTER
         select NETFILTER_XTABLES
         help
           ebtables is a general, extensible frame/packet identification
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 1b745d412cf6..dd2b9478ddd1 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -466,8 +466,13 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 goto out;
 
         if (addr->sin_family != AF_INET) {
+                /* Compatibility games : accept AF_UNSPEC (mapped to AF_INET)
+                 * only if s_addr is INADDR_ANY.
+                 */
                 err = -EAFNOSUPPORT;
-                goto out;
+                if (addr->sin_family != AF_UNSPEC ||
+                    addr->sin_addr.s_addr != htonl(INADDR_ANY))
+                        goto out;
         }
 
         chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 5c9b9d963918..e59aabd0eae4 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
         return skb;
 
 nlmsg_failure:
+        kfree_skb(skb);
         *errp = -EINVAL;
         printk(KERN_ERR "ip_queue: error creating packet message\n");
         return NULL;
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
 {
         struct nf_queue_entry *entry;
 
-        if (vmsg->value > NF_MAX_VERDICT)
+        if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
                 return -EINVAL;
 
         entry = ipq_find_dequeue_entry(vmsg->id);
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
                 break;
 
         case IPQM_VERDICT:
-                if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
-                        status = -EINVAL;
-                else
-                        status = ipq_set_verdict(&pmsg->msg.verdict,
-                                                 len - sizeof(*pmsg));
-                        break;
+                status = ipq_set_verdict(&pmsg->msg.verdict,
+                                         len - sizeof(*pmsg));
+                break;
         default:
                 status = -EINVAL;
         }
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 9ef1831746ef..b46e9f88ce37 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -599,7 +599,7 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
         return 0;
 }
 
-int datagram_send_ctl(struct net *net,
+int datagram_send_ctl(struct net *net, struct sock *sk,
                       struct msghdr *msg, struct flowi6 *fl6,
                       struct ipv6_txoptions *opt,
                       int *hlimit, int *tclass, int *dontfrag)
@@ -658,7 +658,8 @@ int datagram_send_ctl(struct net *net,
 
                         if (addr_type != IPV6_ADDR_ANY) {
                                 int strict = __ipv6_addr_src_scope(addr_type) <= IPV6_ADDR_SCOPE_LINKLOCAL;
-                                if (!ipv6_chk_addr(net, &src_info->ipi6_addr,
+                                if (!inet_sk(sk)->transparent &&
+                                    !ipv6_chk_addr(net, &src_info->ipi6_addr,
                                                    strict ? dev : NULL, 0))
                                         err = -EINVAL;
                                 else
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index f3caf1b8d572..543039450193 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -322,8 +322,8 @@ static int fl6_renew(struct ip6_flowlabel *fl, unsigned long linger, unsigned lo
 }
 
 static struct ip6_flowlabel *
-fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
-          int optlen, int *err_p)
+fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
+          char __user *optval, int optlen, int *err_p)
 {
         struct ip6_flowlabel *fl = NULL;
         int olen;
@@ -360,7 +360,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
                 msg.msg_control = (void*)(fl->opt+1);
                 memset(&flowi6, 0, sizeof(flowi6));
 
-                err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
+                err = datagram_send_ctl(net, sk, &msg, &flowi6, fl->opt, &junk,
                                         &junk, &junk);
                 if (err)
                         goto done;
@@ -528,7 +528,7 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
                 if (freq.flr_label & ~IPV6_FLOWLABEL_MASK)
                         return -EINVAL;
 
-                fl = fl_create(net, &freq, optval, optlen, &err);
+                fl = fl_create(net, sk, &freq, optval, optlen, &err);
                 if (fl == NULL)
                         return err;
                 sfl1 = kmalloc(sizeof(*sfl1), GFP_KERNEL);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 147ede38ab48..2fbda5fc4cc4 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,7 @@ sticky_done:
                 msg.msg_controllen = optlen;
                 msg.msg_control = (void*)(opt+1);
 
-                retv = datagram_send_ctl(net, &msg, &fl6, opt, &junk, &junk,
+                retv = datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk, &junk,
                                          &junk);
                 if (retv)
                         goto done;
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 249394863284..e63c3972a739 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -218,6 +218,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
         return skb;
 
 nlmsg_failure:
+        kfree_skb(skb);
         *errp = -EINVAL;
         printk(KERN_ERR "ip6_queue: error creating packet message\n");
         return NULL;
@@ -313,7 +314,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
 {
         struct nf_queue_entry *entry;
 
-        if (vmsg->value > NF_MAX_VERDICT)
+        if (vmsg->value > NF_MAX_VERDICT || vmsg->value == NF_STOLEN)
                 return -EINVAL;
 
         entry = ipq_find_dequeue_entry(vmsg->id);
@@ -358,12 +359,9 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg,
                 break;
 
         case IPQM_VERDICT:
-                if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
-                        status = -EINVAL;
-                else
-                        status = ipq_set_verdict(&pmsg->msg.verdict,
-                                                 len - sizeof(*pmsg));
-                        break;
+                status = ipq_set_verdict(&pmsg->msg.verdict,
+                                         len - sizeof(*pmsg));
+                break;
         default:
                 status = -EINVAL;
         }
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 6a79f3081bdb..343852e5c703 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -817,8 +817,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(struct ipv6_txoptions);
 
-                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-                                        &tclass, &dontfrag);
+                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                        &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 29213b51c499..bb95e8e1c6f9 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1090,8 +1090,8 @@ do_udp_sendmsg:
                 memset(opt, 0, sizeof(struct ipv6_txoptions));
                 opt->tot_len = sizeof(*opt);
 
-                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-                                        &tclass, &dontfrag);
+                err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+                                        &hlimit, &tclass, &dontfrag);
                 if (err < 0) {
                         fl6_sock_release(flowlabel);
                         return err;
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 2fd4565144de..31d56b23b9e9 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -364,6 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
                 break;
 
         case PPTP_WAN_ERROR_NOTIFY:
+        case PPTP_SET_LINK_INFO:
         case PPTP_ECHO_REQUEST:
         case PPTP_ECHO_REPLY:
                 /* I don't have to explain these ;) */
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 37bf94394be0..8235b86b4e87 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
                         if (opsize < 2) /* "silly options" */
                                 return;
                         if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
 
                         if (opcode == TCPOPT_SACK_PERM
                             && opsize == TCPOLEN_SACK_PERM)
@@ -447,7 +447,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
         BUG_ON(ptr == NULL);
 
         /* Fast path for timestamp-only option */
-        if (length == TCPOLEN_TSTAMP_ALIGNED*4
+        if (length == TCPOLEN_TSTAMP_ALIGNED
             && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
                                        | (TCPOPT_NOP << 16)
                                        | (TCPOPT_TIMESTAMP << 8)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
                         if (opsize < 2) /* "silly options" */
                                 return;
                         if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
 
                         if (opcode == TCPOPT_SACK
                             && opsize >= (TCPOLEN_SACK_BASE
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 00bd475eab4b..a80b0cb03f17 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -646,8 +646,8 @@ verdicthdr_get(const struct nlattr * const nfqa[])
                 return NULL;
 
         vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
-        verdict = ntohl(vhdr->verdict);
-        if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT)
+        verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
+        if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
                 return NULL;
         return vhdr;
 }
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 76a083184d8e..ed0db15ab00e 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 {
         struct xt_rateest_match_info *info = par->matchinfo;
         struct xt_rateest *est1, *est2;
-        int ret = false;
+        int ret = -EINVAL;
 
         if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
                                      XT_RATEEST_MATCH_REL)) != 1)
@@ -101,13 +101,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
         if (!est1)
                 goto err1;
 
+        est2 = NULL;
         if (info->flags & XT_RATEEST_MATCH_REL) {
                 est2 = xt_rateest_lookup(info->name2);
                 if (!est2)
                         goto err2;
-        } else
-                est2 = NULL;
-
+        }
 
         info->est1 = est1;
         info->est2 = est2;
@@ -116,7 +115,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 err2:
         xt_rateest_put(est1);
 err1:
-        return -EINVAL;
+        return ret;
 }
 
 static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)