diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/can/af_can.c | 10 | ||||
-rw-r--r-- | net/can/bcm.c | 23 | ||||
-rw-r--r-- | net/can/raw.c | 3 | ||||
-rw-r--r-- | net/ipv6/addrconf.c | 4 | ||||
-rw-r--r-- | net/irda/irnetlink.c | 4 | ||||
-rw-r--r-- | net/mac80211/main.c | 4 | ||||
-rw-r--r-- | net/mac80211/mlme.c | 13 | ||||
-rw-r--r-- | net/sctp/sm_statefuns.c | 9 | ||||
-rw-r--r-- | net/sctp/ulpevent.c | 5 |
9 files changed, 55 insertions, 20 deletions
diff --git a/net/can/af_can.c b/net/can/af_can.c index 7e8ca2836452..484bbf6dd032 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c | |||
@@ -205,12 +205,19 @@ static int can_create(struct net *net, struct socket *sock, int protocol) | |||
205 | * -ENOBUFS on full driver queue (see net_xmit_errno()) | 205 | * -ENOBUFS on full driver queue (see net_xmit_errno()) |
206 | * -ENOMEM when local loopback failed at calling skb_clone() | 206 | * -ENOMEM when local loopback failed at calling skb_clone() |
207 | * -EPERM when trying to send on a non-CAN interface | 207 | * -EPERM when trying to send on a non-CAN interface |
208 | * -EINVAL when the skb->data does not contain a valid CAN frame | ||
208 | */ | 209 | */ |
209 | int can_send(struct sk_buff *skb, int loop) | 210 | int can_send(struct sk_buff *skb, int loop) |
210 | { | 211 | { |
211 | struct sk_buff *newskb = NULL; | 212 | struct sk_buff *newskb = NULL; |
213 | struct can_frame *cf = (struct can_frame *)skb->data; | ||
212 | int err; | 214 | int err; |
213 | 215 | ||
216 | if (skb->len != sizeof(struct can_frame) || cf->can_dlc > 8) { | ||
217 | kfree_skb(skb); | ||
218 | return -EINVAL; | ||
219 | } | ||
220 | |||
214 | if (skb->dev->type != ARPHRD_CAN) { | 221 | if (skb->dev->type != ARPHRD_CAN) { |
215 | kfree_skb(skb); | 222 | kfree_skb(skb); |
216 | return -EPERM; | 223 | return -EPERM; |
@@ -605,6 +612,7 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, | |||
605 | struct packet_type *pt, struct net_device *orig_dev) | 612 | struct packet_type *pt, struct net_device *orig_dev) |
606 | { | 613 | { |
607 | struct dev_rcv_lists *d; | 614 | struct dev_rcv_lists *d; |
615 | struct can_frame *cf = (struct can_frame *)skb->data; | ||
608 | int matches; | 616 | int matches; |
609 | 617 | ||
610 | if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { | 618 | if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { |
@@ -612,6 +620,8 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, | |||
612 | return 0; | 620 | return 0; |
613 | } | 621 | } |
614 | 622 | ||
623 | BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8); | ||
624 | |||
615 | /* update statistics */ | 625 | /* update statistics */ |
616 | can_stats.rx_frames++; | 626 | can_stats.rx_frames++; |
617 | can_stats.rx_frames_delta++; | 627 | can_stats.rx_frames_delta++; |
diff --git a/net/can/bcm.c b/net/can/bcm.c index d9a3a9d13bed..72c2ce904f83 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c | |||
@@ -298,7 +298,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head, | |||
298 | 298 | ||
299 | if (head->nframes) { | 299 | if (head->nframes) { |
300 | /* can_frames starting here */ | 300 | /* can_frames starting here */ |
301 | firstframe = (struct can_frame *) skb_tail_pointer(skb); | 301 | firstframe = (struct can_frame *)skb_tail_pointer(skb); |
302 | 302 | ||
303 | memcpy(skb_put(skb, datalen), frames, datalen); | 303 | memcpy(skb_put(skb, datalen), frames, datalen); |
304 | 304 | ||
@@ -826,6 +826,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, | |||
826 | for (i = 0; i < msg_head->nframes; i++) { | 826 | for (i = 0; i < msg_head->nframes; i++) { |
827 | err = memcpy_fromiovec((u8 *)&op->frames[i], | 827 | err = memcpy_fromiovec((u8 *)&op->frames[i], |
828 | msg->msg_iov, CFSIZ); | 828 | msg->msg_iov, CFSIZ); |
829 | |||
830 | if (op->frames[i].can_dlc > 8) | ||
831 | err = -EINVAL; | ||
832 | |||
829 | if (err < 0) | 833 | if (err < 0) |
830 | return err; | 834 | return err; |
831 | 835 | ||
@@ -858,6 +862,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, | |||
858 | for (i = 0; i < msg_head->nframes; i++) { | 862 | for (i = 0; i < msg_head->nframes; i++) { |
859 | err = memcpy_fromiovec((u8 *)&op->frames[i], | 863 | err = memcpy_fromiovec((u8 *)&op->frames[i], |
860 | msg->msg_iov, CFSIZ); | 864 | msg->msg_iov, CFSIZ); |
865 | |||
866 | if (op->frames[i].can_dlc > 8) | ||
867 | err = -EINVAL; | ||
868 | |||
861 | if (err < 0) { | 869 | if (err < 0) { |
862 | if (op->frames != &op->sframe) | 870 | if (op->frames != &op->sframe) |
863 | kfree(op->frames); | 871 | kfree(op->frames); |
@@ -1164,9 +1172,12 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk) | |||
1164 | 1172 | ||
1165 | skb->dev = dev; | 1173 | skb->dev = dev; |
1166 | skb->sk = sk; | 1174 | skb->sk = sk; |
1167 | can_send(skb, 1); /* send with loopback */ | 1175 | err = can_send(skb, 1); /* send with loopback */ |
1168 | dev_put(dev); | 1176 | dev_put(dev); |
1169 | 1177 | ||
1178 | if (err) | ||
1179 | return err; | ||
1180 | |||
1170 | return CFSIZ + MHSIZ; | 1181 | return CFSIZ + MHSIZ; |
1171 | } | 1182 | } |
1172 | 1183 | ||
@@ -1185,6 +1196,10 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
1185 | if (!bo->bound) | 1196 | if (!bo->bound) |
1186 | return -ENOTCONN; | 1197 | return -ENOTCONN; |
1187 | 1198 | ||
1199 | /* check for valid message length from userspace */ | ||
1200 | if (size < MHSIZ || (size - MHSIZ) % CFSIZ) | ||
1201 | return -EINVAL; | ||
1202 | |||
1188 | /* check for alternative ifindex for this bcm_op */ | 1203 | /* check for alternative ifindex for this bcm_op */ |
1189 | 1204 | ||
1190 | if (!ifindex && msg->msg_name) { | 1205 | if (!ifindex && msg->msg_name) { |
@@ -1259,8 +1274,8 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
1259 | break; | 1274 | break; |
1260 | 1275 | ||
1261 | case TX_SEND: | 1276 | case TX_SEND: |
1262 | /* we need at least one can_frame */ | 1277 | /* we need exactly one can_frame behind the msg head */ |
1263 | if (msg_head.nframes < 1) | 1278 | if ((msg_head.nframes != 1) || (size != CFSIZ + MHSIZ)) |
1264 | ret = -EINVAL; | 1279 | ret = -EINVAL; |
1265 | else | 1280 | else |
1266 | ret = bcm_tx_send(msg, ifindex, sk); | 1281 | ret = bcm_tx_send(msg, ifindex, sk); |
diff --git a/net/can/raw.c b/net/can/raw.c index 69877b8e7e9c..3e46ee36a1aa 100644 --- a/net/can/raw.c +++ b/net/can/raw.c | |||
@@ -632,6 +632,9 @@ static int raw_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
632 | } else | 632 | } else |
633 | ifindex = ro->ifindex; | 633 | ifindex = ro->ifindex; |
634 | 634 | ||
635 | if (size != sizeof(struct can_frame)) | ||
636 | return -EINVAL; | ||
637 | |||
635 | dev = dev_get_by_index(&init_net, ifindex); | 638 | dev = dev_get_by_index(&init_net, ifindex); |
636 | if (!dev) | 639 | if (!dev) |
637 | return -ENXIO; | 640 | return -ENXIO; |
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 2ec73e62202c..8572cb05fc21 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
@@ -774,12 +774,12 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp) | |||
774 | } | 774 | } |
775 | write_unlock_bh(&idev->lock); | 775 | write_unlock_bh(&idev->lock); |
776 | 776 | ||
777 | addrconf_del_timer(ifp); | ||
778 | |||
777 | ipv6_ifa_notify(RTM_DELADDR, ifp); | 779 | ipv6_ifa_notify(RTM_DELADDR, ifp); |
778 | 780 | ||
779 | atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp); | 781 | atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp); |
780 | 782 | ||
781 | addrconf_del_timer(ifp); | ||
782 | |||
783 | /* | 783 | /* |
784 | * Purge or update corresponding prefix | 784 | * Purge or update corresponding prefix |
785 | * | 785 | * |
diff --git a/net/irda/irnetlink.c b/net/irda/irnetlink.c index 9e1fb82e3220..2f05ec1037ab 100644 --- a/net/irda/irnetlink.c +++ b/net/irda/irnetlink.c | |||
@@ -101,8 +101,8 @@ static int irda_nl_get_mode(struct sk_buff *skb, struct genl_info *info) | |||
101 | 101 | ||
102 | hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq, | 102 | hdr = genlmsg_put(msg, info->snd_pid, info->snd_seq, |
103 | &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE); | 103 | &irda_nl_family, 0, IRDA_NL_CMD_GET_MODE); |
104 | if (IS_ERR(hdr)) { | 104 | if (hdr == NULL) { |
105 | ret = PTR_ERR(hdr); | 105 | ret = -EMSGSIZE; |
106 | goto err_out; | 106 | goto err_out; |
107 | } | 107 | } |
108 | 108 | ||
diff --git a/net/mac80211/main.c b/net/mac80211/main.c index cc756e93e6c8..cf477ad39dac 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c | |||
@@ -535,8 +535,6 @@ static int ieee80211_stop(struct net_device *dev) | |||
535 | local->sta_hw_scanning = 0; | 535 | local->sta_hw_scanning = 0; |
536 | } | 536 | } |
537 | 537 | ||
538 | flush_workqueue(local->hw.workqueue); | ||
539 | |||
540 | sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED; | 538 | sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED; |
541 | kfree(sdata->u.sta.extra_ie); | 539 | kfree(sdata->u.sta.extra_ie); |
542 | sdata->u.sta.extra_ie = NULL; | 540 | sdata->u.sta.extra_ie = NULL; |
@@ -560,6 +558,8 @@ static int ieee80211_stop(struct net_device *dev) | |||
560 | 558 | ||
561 | ieee80211_led_radio(local, 0); | 559 | ieee80211_led_radio(local, 0); |
562 | 560 | ||
561 | flush_workqueue(local->hw.workqueue); | ||
562 | |||
563 | tasklet_disable(&local->tx_pending_tasklet); | 563 | tasklet_disable(&local->tx_pending_tasklet); |
564 | tasklet_disable(&local->tasklet); | 564 | tasklet_disable(&local->tasklet); |
565 | } | 565 | } |
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 37ea04f5bab9..dbc8cf454bc0 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c | |||
@@ -564,15 +564,14 @@ static void ieee80211_set_associated(struct net_device *dev, | |||
564 | sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf; | 564 | sdata->bss_conf.ht_bss_conf = &conf->ht_bss_conf; |
565 | } | 565 | } |
566 | 566 | ||
567 | netif_carrier_on(dev); | ||
568 | ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET; | 567 | ifsta->flags |= IEEE80211_STA_PREV_BSSID_SET; |
569 | memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN); | 568 | memcpy(ifsta->prev_bssid, sdata->u.sta.bssid, ETH_ALEN); |
570 | memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN); | 569 | memcpy(wrqu.ap_addr.sa_data, sdata->u.sta.bssid, ETH_ALEN); |
571 | ieee80211_sta_send_associnfo(dev, ifsta); | 570 | ieee80211_sta_send_associnfo(dev, ifsta); |
572 | } else { | 571 | } else { |
572 | netif_carrier_off(dev); | ||
573 | ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid); | 573 | ieee80211_sta_tear_down_BA_sessions(dev, ifsta->bssid); |
574 | ifsta->flags &= ~IEEE80211_STA_ASSOCIATED; | 574 | ifsta->flags &= ~IEEE80211_STA_ASSOCIATED; |
575 | netif_carrier_off(dev); | ||
576 | changed |= ieee80211_reset_erp_info(dev); | 575 | changed |= ieee80211_reset_erp_info(dev); |
577 | 576 | ||
578 | sdata->bss_conf.assoc_ht = 0; | 577 | sdata->bss_conf.assoc_ht = 0; |
@@ -586,6 +585,10 @@ static void ieee80211_set_associated(struct net_device *dev, | |||
586 | 585 | ||
587 | sdata->bss_conf.assoc = assoc; | 586 | sdata->bss_conf.assoc = assoc; |
588 | ieee80211_bss_info_change_notify(sdata, changed); | 587 | ieee80211_bss_info_change_notify(sdata, changed); |
588 | |||
589 | if (assoc) | ||
590 | netif_carrier_on(dev); | ||
591 | |||
589 | wrqu.ap_addr.sa_family = ARPHRD_ETHER; | 592 | wrqu.ap_addr.sa_family = ARPHRD_ETHER; |
590 | wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL); | 593 | wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL); |
591 | } | 594 | } |
@@ -3694,8 +3697,10 @@ static int ieee80211_sta_find_ibss(struct net_device *dev, | |||
3694 | spin_unlock_bh(&local->sta_bss_lock); | 3697 | spin_unlock_bh(&local->sta_bss_lock); |
3695 | 3698 | ||
3696 | #ifdef CONFIG_MAC80211_IBSS_DEBUG | 3699 | #ifdef CONFIG_MAC80211_IBSS_DEBUG |
3697 | printk(KERN_DEBUG " sta_find_ibss: selected %s current " | 3700 | if (found) |
3698 | "%s\n", print_mac(mac, bssid), print_mac(mac2, ifsta->bssid)); | 3701 | printk(KERN_DEBUG " sta_find_ibss: selected %s current " |
3702 | "%s\n", print_mac(mac, bssid), | ||
3703 | print_mac(mac2, ifsta->bssid)); | ||
3699 | #endif /* CONFIG_MAC80211_IBSS_DEBUG */ | 3704 | #endif /* CONFIG_MAC80211_IBSS_DEBUG */ |
3700 | if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 && | 3705 | if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 && |
3701 | (bss = ieee80211_rx_bss_get(dev, bssid, | 3706 | (bss = ieee80211_rx_bss_get(dev, bssid, |
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index b66a41d03c0d..8848d329aa2c 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
@@ -5893,12 +5893,6 @@ static int sctp_eat_data(const struct sctp_association *asoc, | |||
5893 | return SCTP_IERROR_NO_DATA; | 5893 | return SCTP_IERROR_NO_DATA; |
5894 | } | 5894 | } |
5895 | 5895 | ||
5896 | /* If definately accepting the DATA chunk, record its TSN, otherwise | ||
5897 | * wait for renege processing. | ||
5898 | */ | ||
5899 | if (SCTP_CMD_CHUNK_ULP == deliver) | ||
5900 | sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); | ||
5901 | |||
5902 | chunk->data_accepted = 1; | 5896 | chunk->data_accepted = 1; |
5903 | 5897 | ||
5904 | /* Note: Some chunks may get overcounted (if we drop) or overcounted | 5898 | /* Note: Some chunks may get overcounted (if we drop) or overcounted |
@@ -5918,6 +5912,9 @@ static int sctp_eat_data(const struct sctp_association *asoc, | |||
5918 | * and discard the DATA chunk. | 5912 | * and discard the DATA chunk. |
5919 | */ | 5913 | */ |
5920 | if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { | 5914 | if (ntohs(data_hdr->stream) >= asoc->c.sinit_max_instreams) { |
5915 | /* Mark tsn as received even though we drop it */ | ||
5916 | sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn)); | ||
5917 | |||
5921 | err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, | 5918 | err = sctp_make_op_error(asoc, chunk, SCTP_ERROR_INV_STRM, |
5922 | &data_hdr->stream, | 5919 | &data_hdr->stream, |
5923 | sizeof(data_hdr->stream)); | 5920 | sizeof(data_hdr->stream)); |
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c index ce6cda6b6994..a1f654aea268 100644 --- a/net/sctp/ulpevent.c +++ b/net/sctp/ulpevent.c | |||
@@ -710,6 +710,11 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc, | |||
710 | if (!skb) | 710 | if (!skb) |
711 | goto fail; | 711 | goto fail; |
712 | 712 | ||
713 | /* Now that all memory allocations for this chunk succeeded, we | ||
714 | * can mark it as received so the tsn_map is updated correctly. | ||
715 | */ | ||
716 | sctp_tsnmap_mark(&asoc->peer.tsn_map, ntohl(chunk->subh.data_hdr->tsn)); | ||
717 | |||
713 | /* First calculate the padding, so we don't inadvertently | 718 | /* First calculate the padding, so we don't inadvertently |
714 | * pass up the wrong length to the user. | 719 | * pass up the wrong length to the user. |
715 | * | 720 | * |