diff options
Diffstat (limited to 'net/core')
-rw-r--r-- | net/core/dev.c | 2 | ||||
-rw-r--r-- | net/core/neighbour.c | 7 | ||||
-rw-r--r-- | net/core/rtnetlink.c | 27 |
3 files changed, 27 insertions, 9 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index 908f07c3bd7d..fcdf03cf3b3f 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
@@ -2900,7 +2900,7 @@ int __dev_addr_add(struct dev_addr_list **list, int *count, | |||
2900 | } | 2900 | } |
2901 | } | 2901 | } |
2902 | 2902 | ||
2903 | da = kmalloc(sizeof(*da), GFP_ATOMIC); | 2903 | da = kzalloc(sizeof(*da), GFP_ATOMIC); |
2904 | if (da == NULL) | 2904 | if (da == NULL) |
2905 | return -ENOMEM; | 2905 | return -ENOMEM; |
2906 | memcpy(da->da_addr, addr, alen); | 2906 | memcpy(da->da_addr, addr, alen); |
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index a16cf1ec5e5e..2328acbd16cd 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c | |||
@@ -358,11 +358,12 @@ struct neighbour *neigh_lookup(struct neigh_table *tbl, const void *pkey, | |||
358 | { | 358 | { |
359 | struct neighbour *n; | 359 | struct neighbour *n; |
360 | int key_len = tbl->key_len; | 360 | int key_len = tbl->key_len; |
361 | u32 hash_val = tbl->hash(pkey, dev); | 361 | u32 hash_val; |
362 | 362 | ||
363 | NEIGH_CACHE_STAT_INC(tbl, lookups); | 363 | NEIGH_CACHE_STAT_INC(tbl, lookups); |
364 | 364 | ||
365 | read_lock_bh(&tbl->lock); | 365 | read_lock_bh(&tbl->lock); |
366 | hash_val = tbl->hash(pkey, dev); | ||
366 | for (n = tbl->hash_buckets[hash_val & tbl->hash_mask]; n; n = n->next) { | 367 | for (n = tbl->hash_buckets[hash_val & tbl->hash_mask]; n; n = n->next) { |
367 | if (dev == n->dev && !memcmp(n->primary_key, pkey, key_len)) { | 368 | if (dev == n->dev && !memcmp(n->primary_key, pkey, key_len)) { |
368 | neigh_hold(n); | 369 | neigh_hold(n); |
@@ -379,11 +380,12 @@ struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net, | |||
379 | { | 380 | { |
380 | struct neighbour *n; | 381 | struct neighbour *n; |
381 | int key_len = tbl->key_len; | 382 | int key_len = tbl->key_len; |
382 | u32 hash_val = tbl->hash(pkey, NULL); | 383 | u32 hash_val; |
383 | 384 | ||
384 | NEIGH_CACHE_STAT_INC(tbl, lookups); | 385 | NEIGH_CACHE_STAT_INC(tbl, lookups); |
385 | 386 | ||
386 | read_lock_bh(&tbl->lock); | 387 | read_lock_bh(&tbl->lock); |
388 | hash_val = tbl->hash(pkey, NULL); | ||
387 | for (n = tbl->hash_buckets[hash_val & tbl->hash_mask]; n; n = n->next) { | 389 | for (n = tbl->hash_buckets[hash_val & tbl->hash_mask]; n; n = n->next) { |
388 | if (!memcmp(n->primary_key, pkey, key_len) && | 390 | if (!memcmp(n->primary_key, pkey, key_len) && |
389 | (net == n->dev->nd_net)) { | 391 | (net == n->dev->nd_net)) { |
@@ -507,6 +509,7 @@ struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl, | |||
507 | if (tbl->pconstructor && tbl->pconstructor(n)) { | 509 | if (tbl->pconstructor && tbl->pconstructor(n)) { |
508 | if (dev) | 510 | if (dev) |
509 | dev_put(dev); | 511 | dev_put(dev); |
512 | release_net(net); | ||
510 | kfree(n); | 513 | kfree(n); |
511 | n = NULL; | 514 | n = NULL; |
512 | goto out; | 515 | goto out; |
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 61ac8d06292c..2bd9c5f7627d 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c | |||
@@ -689,10 +689,12 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = { | |||
689 | [IFLA_BROADCAST] = { .type = NLA_BINARY, .len = MAX_ADDR_LEN }, | 689 | [IFLA_BROADCAST] = { .type = NLA_BINARY, .len = MAX_ADDR_LEN }, |
690 | [IFLA_MAP] = { .len = sizeof(struct rtnl_link_ifmap) }, | 690 | [IFLA_MAP] = { .len = sizeof(struct rtnl_link_ifmap) }, |
691 | [IFLA_MTU] = { .type = NLA_U32 }, | 691 | [IFLA_MTU] = { .type = NLA_U32 }, |
692 | [IFLA_LINK] = { .type = NLA_U32 }, | ||
692 | [IFLA_TXQLEN] = { .type = NLA_U32 }, | 693 | [IFLA_TXQLEN] = { .type = NLA_U32 }, |
693 | [IFLA_WEIGHT] = { .type = NLA_U32 }, | 694 | [IFLA_WEIGHT] = { .type = NLA_U32 }, |
694 | [IFLA_OPERSTATE] = { .type = NLA_U8 }, | 695 | [IFLA_OPERSTATE] = { .type = NLA_U8 }, |
695 | [IFLA_LINKMODE] = { .type = NLA_U8 }, | 696 | [IFLA_LINKMODE] = { .type = NLA_U8 }, |
697 | [IFLA_LINKINFO] = { .type = NLA_NESTED }, | ||
696 | [IFLA_NET_NS_PID] = { .type = NLA_U32 }, | 698 | [IFLA_NET_NS_PID] = { .type = NLA_U32 }, |
697 | }; | 699 | }; |
698 | 700 | ||
@@ -720,6 +722,21 @@ static struct net *get_net_ns_by_pid(pid_t pid) | |||
720 | return net; | 722 | return net; |
721 | } | 723 | } |
722 | 724 | ||
725 | static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[]) | ||
726 | { | ||
727 | if (dev) { | ||
728 | if (tb[IFLA_ADDRESS] && | ||
729 | nla_len(tb[IFLA_ADDRESS]) < dev->addr_len) | ||
730 | return -EINVAL; | ||
731 | |||
732 | if (tb[IFLA_BROADCAST] && | ||
733 | nla_len(tb[IFLA_BROADCAST]) < dev->addr_len) | ||
734 | return -EINVAL; | ||
735 | } | ||
736 | |||
737 | return 0; | ||
738 | } | ||
739 | |||
723 | static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm, | 740 | static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm, |
724 | struct nlattr **tb, char *ifname, int modified) | 741 | struct nlattr **tb, char *ifname, int modified) |
725 | { | 742 | { |
@@ -892,12 +909,7 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
892 | goto errout; | 909 | goto errout; |
893 | } | 910 | } |
894 | 911 | ||
895 | if (tb[IFLA_ADDRESS] && | 912 | if ((err = validate_linkmsg(dev, tb)) < 0) |
896 | nla_len(tb[IFLA_ADDRESS]) < dev->addr_len) | ||
897 | goto errout_dev; | ||
898 | |||
899 | if (tb[IFLA_BROADCAST] && | ||
900 | nla_len(tb[IFLA_BROADCAST]) < dev->addr_len) | ||
901 | goto errout_dev; | 913 | goto errout_dev; |
902 | 914 | ||
903 | err = do_setlink(dev, ifm, tb, ifname, 0); | 915 | err = do_setlink(dev, ifm, tb, ifname, 0); |
@@ -1018,6 +1030,9 @@ replay: | |||
1018 | else | 1030 | else |
1019 | dev = NULL; | 1031 | dev = NULL; |
1020 | 1032 | ||
1033 | if ((err = validate_linkmsg(dev, tb)) < 0) | ||
1034 | return err; | ||
1035 | |||
1021 | if (tb[IFLA_LINKINFO]) { | 1036 | if (tb[IFLA_LINKINFO]) { |
1022 | err = nla_parse_nested(linkinfo, IFLA_INFO_MAX, | 1037 | err = nla_parse_nested(linkinfo, IFLA_INFO_MAX, |
1023 | tb[IFLA_LINKINFO], ifla_info_policy); | 1038 | tb[IFLA_LINKINFO], ifla_info_policy); |