7 files changed, 33 insertions, 25 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 76ff9f4fe89d..4ea8cf7c0cc4 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -379,8 +379,8 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
                    dev->type == ARPHRD_NONE ||
                    dev->type == ARPHRD_SIT) {
                        printk(KERN_INFO
-                                "Disabled Privacy Extensions on device %p(%s)\n",
+                               "%s: Disabled Privacy Extensions\n",
-                                dev, dev->name);
+                               dev->name);
                        ndev->cnf.use_tempaddr = -1;
                } else {
                        in6_dev_hold(ndev);
@@ -1596,9 +1596,17 @@ void addrconf_prefix_rcv(struct net_device *dev, u8 *opt, int len)
           not good.
         */
        if (valid_lft >= 0x7FFFFFFF/HZ)
-                rt_expires = 0;
+                rt_expires = 0x7FFFFFFF - (0x7FFFFFFF % HZ);
        else
-                rt_expires = jiffies + valid_lft * HZ;
+                rt_expires = valid_lft * HZ;
+        /*
+         * We convert this (in jiffies) to clock_t later.
+         * Avoid arithmetic overflow there as well.
+         * Overflow can happen only if HZ < USER_HZ.
+         */
+        if (HZ < USER_HZ && rt_expires > 0x7FFFFFFF / USER_HZ)
+                rt_expires = 0x7FFFFFFF / USER_HZ;
        if (pinfo->onlink) {
                struct rt6_info *rt;
@@ -1610,12 +1618,12 @@ void addrconf_prefix_rcv(struct net_device *dev, u8 *opt, int len)
                                        ip6_del_rt(rt, NULL, NULL, NULL);
                                        rt = NULL;
                                } else {
-                                        rt->rt6i_expires = rt_expires;
+                                        rt->rt6i_expires = jiffies + rt_expires;
                                }
                        }
                } else if (valid_lft) {
                        addrconf_prefix_route(&pinfo->prefix, pinfo->prefix_len,
-                                              dev, rt_expires, RTF_ADDRCONF|RTF_EXPIRES|RTF_PREFIX_RT);
+                                              dev, jiffies_to_clock_t(rt_expires), RTF_ADDRCONF|RTF_EXPIRES|RTF_PREFIX_RT);
                }
                if (rt)
                        dst_release(&rt->u.dst);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 40d9a1935ab5..8bfbe9970793 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -248,7 +248,7 @@ static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
        if (esp->conf.padlen)
                mtu = ALIGN(mtu, esp->conf.padlen);
-        return mtu + x->props.header_len + esp->auth.icv_full_len;
+        return mtu + x->props.header_len + esp->auth.icv_trunc_len;
 }
 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 060d61202412..04912f9b35c3 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -211,7 +211,7 @@ config IP6_NF_TARGET_REJECT
 config IP6_NF_TARGET_NFQUEUE
        tristate "NFQUEUE Target Support"
-        depends on IP_NF_IPTABLES
+        depends on IP6_NF_IPTABLES
        help
          This Target replaced the old obsolete QUEUE target.
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index c0f1da5497a9..a7e03cfacd06 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
                [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_REPLY +1
        };
-        __u8 type = orig->dst.u.icmp.type - 128;
+        int type = orig->dst.u.icmp.type - 128;
-        if (type >= sizeof(invmap) || !invmap[type])
+        if (type < 0 || type >= sizeof(invmap) || !invmap[type])
                return 0;
        tuple->src.u.icmp.id   = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *conntrack,
                [ICMPV6_ECHO_REQUEST - 128] = 1,
                [ICMPV6_NI_QUERY - 128] = 1
        };
+        int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
-        if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)
+        if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
-            || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
                /* Can't create a new ICMPv6 `conn' with this. */
-                DEBUGP("icmp: can't create new conn with type %u\n",
+                DEBUGP("icmpv6: can't create new conn with type %u\n",
-                       conntrack->tuplehash[0].tuple.dst.u.icmp.type);
+                       type + 128);
                NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
                return 0;
        }
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index a7a537b50595..7c68bfbee361 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -829,7 +829,7 @@ int ip6_route_add(struct in6_rtmsg *rtmsg, struct nlmsghdr *nlh,
        }
        rt->u.dst.obsolete = -1;
-        rt->rt6i_expires = clock_t_to_jiffies(rtmsg->rtmsg_info);
+        rt->rt6i_expires = jiffies + clock_t_to_jiffies(rtmsg->rtmsg_info);
        if (nlh && (r = NLMSG_DATA(nlh))) {
                rt->rt6i_protocol = r->rtm_protocol;
        } else {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 62c0e5bd931c..8827389abaf7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -992,13 +992,12 @@ static void tcp_v6_send_reset(struct sk_buff *skb)
        /* sk = NULL, but it is safe for now. RST socket required. */
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
-                if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)
+                if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
+                        ip6_xmit(NULL, buff, &fl, NULL, 0);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
                        return;
+                }
-                ip6_xmit(NULL, buff, &fl, NULL, 0);
-                TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
-                TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
-                return;
        }
        kfree_skb(buff);
@@ -1057,11 +1056,11 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
        fl.fl_ip_sport = t1->source;
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
-                if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)
+                if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
+                        ip6_xmit(NULL, buff, &fl, NULL, 0);
+                        TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
                        return;
-                ip6_xmit(NULL, buff, &fl, NULL, 0);
+                }
-                TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
-                return;
        }
        kfree_skb(buff);
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index cf1d91e74c82..69bd957380e7 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -214,6 +214,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl)
                case IPPROTO_UDP:
                case IPPROTO_TCP:
                case IPPROTO_SCTP:
+                case IPPROTO_DCCP:
                        if (pskb_may_pull(skb, skb->nh.raw + offset + 4 - skb->data)) {
                                u16 *ports = (u16 *)exthdr;

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 76ff9f4fe89d..4ea8cf7c0cc4 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c
@@ -379,8 +379,8 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
379	dev->type == ARPHRD_NONE \|\|	379	dev->type == ARPHRD_NONE \|\|
380	dev->type == ARPHRD_SIT) {	380	dev->type == ARPHRD_SIT) {
381	printk(KERN_INFO	381	printk(KERN_INFO
382	"Disabled Privacy Extensions on device %p(%s)\n",	382	"%s: Disabled Privacy Extensions\n",
383	dev, dev->name);	383	dev->name);
384	ndev->cnf.use_tempaddr = -1;	384	ndev->cnf.use_tempaddr = -1;
385	} else {	385	} else {
386	in6_dev_hold(ndev);	386	in6_dev_hold(ndev);
@@ -1596,9 +1596,17 @@ void addrconf_prefix_rcv(struct net_device dev, u8 opt, int len)
1596	not good.	1596	not good.
1597	*/	1597	*/
1598	if (valid_lft >= 0x7FFFFFFF/HZ)	1598	if (valid_lft >= 0x7FFFFFFF/HZ)
1599	rt_expires = 0;	1599	rt_expires = 0x7FFFFFFF - (0x7FFFFFFF % HZ);
1600	else	1600	else
1601	rt_expires = jiffies + valid_lft * HZ;	1601	rt_expires = valid_lft * HZ;
		1602
		1603	/*
		1604	* We convert this (in jiffies) to clock_t later.
		1605	* Avoid arithmetic overflow there as well.
		1606	* Overflow can happen only if HZ < USER_HZ.
		1607	*/
		1608	if (HZ < USER_HZ && rt_expires > 0x7FFFFFFF / USER_HZ)
		1609	rt_expires = 0x7FFFFFFF / USER_HZ;
1602		1610
1603	if (pinfo->onlink) {	1611	if (pinfo->onlink) {
1604	struct rt6_info *rt;	1612	struct rt6_info *rt;
@@ -1610,12 +1618,12 @@ void addrconf_prefix_rcv(struct net_device dev, u8 opt, int len)
1610	ip6_del_rt(rt, NULL, NULL, NULL);	1618	ip6_del_rt(rt, NULL, NULL, NULL);
1611	rt = NULL;	1619	rt = NULL;
1612	} else {	1620	} else {
1613	rt->rt6i_expires = rt_expires;	1621	rt->rt6i_expires = jiffies + rt_expires;
1614	}	1622	}
1615	}	1623	}
1616	} else if (valid_lft) {	1624	} else if (valid_lft) {
1617	addrconf_prefix_route(&pinfo->prefix, pinfo->prefix_len,	1625	addrconf_prefix_route(&pinfo->prefix, pinfo->prefix_len,
1618	dev, rt_expires, RTF_ADDRCONF\|RTF_EXPIRES\|RTF_PREFIX_RT);	1626	dev, jiffies_to_clock_t(rt_expires), RTF_ADDRCONF\|RTF_EXPIRES\|RTF_PREFIX_RT);
1619	}	1627	}
1620	if (rt)	1628	if (rt)
1621	dst_release(&rt->u.dst);	1629	dst_release(&rt->u.dst);


diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 40d9a1935ab5..8bfbe9970793 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c
@@ -248,7 +248,7 @@ static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
248	if (esp->conf.padlen)	248	if (esp->conf.padlen)
249	mtu = ALIGN(mtu, esp->conf.padlen);	249	mtu = ALIGN(mtu, esp->conf.padlen);
250		250
251	return mtu + x->props.header_len + esp->auth.icv_full_len;	251	return mtu + x->props.header_len + esp->auth.icv_trunc_len;
252	}	252	}
253		253
254	static void esp6_err(struct sk_buff skb, struct inet6_skb_parm opt,	254	static void esp6_err(struct sk_buff skb, struct inet6_skb_parm opt,


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 060d61202412..04912f9b35c3 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -211,7 +211,7 @@ config IP6_NF_TARGET_REJECT
211		211
212	config IP6_NF_TARGET_NFQUEUE	212	config IP6_NF_TARGET_NFQUEUE
213	tristate "NFQUEUE Target Support"	213	tristate "NFQUEUE Target Support"
214	depends on IP_NF_IPTABLES	214	depends on IP6_NF_IPTABLES
215	help	215	help
216	This Target replaced the old obsolete QUEUE target.	216	This Target replaced the old obsolete QUEUE target.
217		217


diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index c0f1da5497a9..a7e03cfacd06 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
68	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_REPLY +1	68	[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_REPLY +1
69	};	69	};
70		70
71	__u8 type = orig->dst.u.icmp.type - 128;	71	int type = orig->dst.u.icmp.type - 128;
72	if (type >= sizeof(invmap) \|\| !invmap[type])	72	if (type < 0 \|\| type >= sizeof(invmap) \|\| !invmap[type])
73	return 0;	73	return 0;
74		74
75	tuple->src.u.icmp.id = orig->src.u.icmp.id;	75	tuple->src.u.icmp.id = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *conntrack,
129	[ICMPV6_ECHO_REQUEST - 128] = 1,	129	[ICMPV6_ECHO_REQUEST - 128] = 1,
130	[ICMPV6_NI_QUERY - 128] = 1	130	[ICMPV6_NI_QUERY - 128] = 1
131	};	131	};
		132	int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
132		133
133	if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)	134	if (type < 0 \|\| type >= sizeof(valid_new) \|\| !valid_new[type]) {
134	\|\| !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
135	/* Can't create a new ICMPv6 `conn' with this. */	135	/* Can't create a new ICMPv6 `conn' with this. */
136	DEBUGP("icmp: can't create new conn with type %u\n",	136	DEBUGP("icmpv6: can't create new conn with type %u\n",
137	conntrack->tuplehash[0].tuple.dst.u.icmp.type);	137	type + 128);
138	NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);	138	NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
139	return 0;	139	return 0;
140	}	140	}


diff --git a/net/ipv6/route.c b/net/ipv6/route.c index a7a537b50595..7c68bfbee361 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c
@@ -829,7 +829,7 @@ int ip6_route_add(struct in6_rtmsg rtmsg, struct nlmsghdr nlh,
829	}	829	}
830		830
831	rt->u.dst.obsolete = -1;	831	rt->u.dst.obsolete = -1;
832	rt->rt6i_expires = clock_t_to_jiffies(rtmsg->rtmsg_info);	832	rt->rt6i_expires = jiffies + clock_t_to_jiffies(rtmsg->rtmsg_info);
833	if (nlh && (r = NLMSG_DATA(nlh))) {	833	if (nlh && (r = NLMSG_DATA(nlh))) {
834	rt->rt6i_protocol = r->rtm_protocol;	834	rt->rt6i_protocol = r->rtm_protocol;
835	} else {	835	} else {


diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 62c0e5bd931c..8827389abaf7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c
@@ -992,13 +992,12 @@ static void tcp_v6_send_reset(struct sk_buff *skb)
992	/* sk = NULL, but it is safe for now. RST socket required. */	992	/* sk = NULL, but it is safe for now. RST socket required. */
993	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {	993	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
994		994
995	if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)	995	if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
		996	ip6_xmit(NULL, buff, &fl, NULL, 0);
		997	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
		998	TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
996	return;	999	return;
997		1000	}
998	ip6_xmit(NULL, buff, &fl, NULL, 0);
999	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1000	TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
1001	return;
1002	}	1001	}
1003		1002
1004	kfree_skb(buff);	1003	kfree_skb(buff);
@@ -1057,11 +1056,11 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
1057	fl.fl_ip_sport = t1->source;	1056	fl.fl_ip_sport = t1->source;
1058		1057
1059	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {	1058	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
1060	if ((xfrm_lookup(&buff->dst, &fl, NULL, 0)) < 0)	1059	if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
		1060	ip6_xmit(NULL, buff, &fl, NULL, 0);
		1061	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1061	return;	1062	return;
1062	ip6_xmit(NULL, buff, &fl, NULL, 0);	1063	}
1063	TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1064	return;
1065	}	1064	}
1066		1065
1067	kfree_skb(buff);	1066	kfree_skb(buff);


diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index cf1d91e74c82..69bd957380e7 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c
@@ -214,6 +214,7 @@ _decode_session6(struct sk_buff skb, struct flowi fl)
214	case IPPROTO_UDP:	214	case IPPROTO_UDP:
215	case IPPROTO_TCP:	215	case IPPROTO_TCP:
216	case IPPROTO_SCTP:	216	case IPPROTO_SCTP:
		217	case IPPROTO_DCCP:
217	if (pskb_may_pull(skb, skb->nh.raw + offset + 4 - skb->data)) {	218	if (pskb_may_pull(skb, skb->nh.raw + offset + 4 - skb->data)) {
218	u16 ports = (u16 )exthdr;	219	u16 ports = (u16 )exthdr;
219		220